Privacy Policy.

Privacy Policy – ZH Finance Ltd. Full.

Internal Data Protection & Privacy Policy – ZH Finance Ltd (Small DA Firm)

Status: Internal / FCA & Governance Use Only
Effective Date: 6 January 2026
Last Reviewed: 6 January 2026
Next Review Due: January 2027 or upon material change

1. Purpose and Alignment

This Internal Data Protection & Privacy Policy sets out how ZH Finance Ltd ("the Firm") manages and protects personal data as a small, directly authorised (DA) FCA‑regulated credit intermediary.

This policy is intentionally aligned with, and underpins, the Firm’s customer‑facing Privacy Policy. Any commitments made to customers in the Privacy Policy are governed and delivered through the controls and arrangements set out in this document.

This policy demonstrates compliance with:

  • UK GDPR

  • Data Protection Act 2018

  • FCA Principles for Businesses

  • FCA SYSC requirements (applied proportionately)

2. Scope

This policy applies to:

  • All personal data processed by the Firm

  • All staff, directors, and contractors

  • All manual and electronic records

  • All systems, devices, and third‑party services used by the Firm

3. Data Protection Principles

The Firm processes personal data in accordance with the UK GDPR principles:

  • Lawfulness, fairness, and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality

  • Accountability

These principles must be embedded into day‑to‑day operations and decision‑making.

4. Roles, Responsibilities, and DPO Position

4.1 Senior Management Accountability

Senior management retains overall accountability for data protection and privacy and is responsible for:

  • Approving this policy and any material changes

  • Ensuring proportionate controls are in place

  • Overseeing data protection risks

4.2 Data Protection Responsibility / Contact Point

The Firm has assessed its obligations under Article 37 UK GDPR and has determined that it is not required to appoint a formal Data Protection Officer (DPO) due to its size, nature, and processing activities.

Responsibility for data protection compliance sits with a nominated senior manager, who:

  • Oversees data protection compliance

  • Acts as the internal escalation point for data protection matters

  • Acts as the contact point for the ICO and FCA if required

The external contact details used for data protection enquiries are published in the customer‑facing Privacy Policy and must remain consistent with this policy.

4.3 Staff Responsibilities

All staff must:

  • Comply with this policy and related procedures

  • Complete mandatory data protection training

  • Report any data protection concerns or incidents immediately

5. Categories of Personal Data Processed

In line with the customer‑facing Privacy Policy, the Firm processes:

  • Identity and contact data

  • Financial, employment, and affordability data

  • Identification and verification documents

  • Credit application data

  • Technical and usage data (where applicable)

  • Limited special category data (e.g. vulnerability information)

  • Criminal offence or fraud‑related data where legally required

Processing must always be limited to what is necessary.

6. Lawful Basis and Special Category Conditions

Each processing activity must have a documented lawful basis:

  • Performance of a contract

  • Legal obligation (FCA, AML, fraud prevention)

  • Legitimate interests

  • Consent (where required)

Special category data is processed only where necessary and with appropriate safeguards, relying on explicit consent or substantial public interest conditions.

7. Transparency and Customer Privacy Policy Alignment

The Firm maintains a clear customer‑facing Privacy Policy explaining:

  • What data is collected

  • How it is used

  • Who it is shared with

  • Customer rights

This internal policy ensures those disclosures are accurate, delivered in practice, and kept under review. Any change to processing activities must trigger a review of both documents.

8. Data Subject Rights and DSAR Handling

The Firm supports all data subject rights described in the customer‑facing Privacy Policy, including:

  • Access

  • Rectification

  • Erasure

  • Restriction

  • Objection

  • Data portability

  • Withdrawal of consent

Requests must be logged, assessed, and responded to within one calendar month.

9. Automated Decision‑Making and Profiling

Where automated decision‑making or profiling is used (e.g. credit assessment or fraud detection):

  • The lawful basis must be documented

  • Human review must be available where required

  • Processing must remain consistent with disclosures in the customer‑facing Privacy Policy

10. Records of Processing Activities (ROPA)

The Firm maintains a simplified ROPA, proportionate to its size, documenting:

  • Processing purposes

  • Data categories

  • Lawful bases

  • Data recipients

  • Retention periods

11. Data Retention

Personal data is retained in line with the retention periods disclosed to customers, including:

  • Customer and credit records: 5–7 years

  • AML records: 5 years after relationship end

  • Complaints records: minimum 3 years

Data is securely deleted or anonymised when no longer required.

12. Information Security

The Firm applies proportionate security measures consistent with the customer‑facing Privacy Policy, including:

  • Restricted access to systems and files

  • Secure passwords and device controls

  • Secure physical storage

  • Regular backups

13. Third Parties and International Transfers

Before sharing data with third parties, the Firm ensures:

  • Due diligence is completed

  • Appropriate contractual protections are in place

Where data is transferred outside the UK, appropriate safeguards (UK IDTA or adequacy decisions) are applied, in line with the customer‑facing Privacy Policy.

14. Vulnerable Customers and Sensitive Data

The Firm recognises its obligation to treat vulnerable customers fairly. Vulnerability data:

  • Is collected only where necessary

  • Is access‑restricted

  • Is handled sensitively and confidentially

15. Personal Data Breaches

All suspected or actual data breaches must be reported immediately.

In line with the customer‑facing Privacy Policy, the Firm will:

  • Investigate and contain the breach

  • Assess risk to individuals

  • Notify the ICO within 72 hours where required

  • Notify affected individuals and the FCA where appropriate

  • Record all actions taken

16. Training, Monitoring, and Review

All staff receive data protection training on induction and periodically thereafter.

This policy is reviewed at least annually and approved by senior management.

This Internal Data Protection & Privacy Policy is designed to follow on directly from, and fully support, the Firm’s customer‑facing Privacy Policy and associated supporting documents.