Customer-Facing Privacy Policy

Customer-Facing Privacy Policy

Privacy Policy – ZH Finance Ltd

Effective Date: 6 January 2026
Last Reviewed: 6 January 2026

1. Introduction

ZH Finance Ltd ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our services or interact with us.

This policy is drafted in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant Financial Conduct Authority (FCA) requirements.

2. About Us (Data Controller Details)

Company Name: ZH Finance Ltd
FCA Authorisation: Authorised and regulated by the Financial Conduct Authority (Firm Reference Number 767733)
Registered Address: 15 Pitt Street, Wolverhampton, WV3 0NF, United Kingdom
Email: finance@groupzenith.com
Telephone: +44 (0)1902 810 520

ZH Finance Ltd is the data controller for the personal data we process.

3. What Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Identity and Contact Data

  • Name, title, date of birth, gender

  • Postal address, email address, telephone number

3.2 Financial and Employment Data

  • Income, employment details, employer information

  • Bank details, financial commitments, affordability information

3.3 Identification and Verification Data

  • Passport, driving licence, national identity card

  • Proof of address documents

3.4 Credit Application Data

  • Information provided in credit applications

  • Information obtained from lenders and credit reference agencies

3.5 Technical and Usage Data

  • IP address, device information, website usage data, cookies (where applicable)

3.6 Special Category and Criminal Offence Data

Where necessary and lawful, we may process:

  • Health or vulnerability information (to support vulnerable customers)

  • Fraud markers or criminal offence data (for fraud prevention)

4. How We Collect Your Data

We collect personal data from:

  • You directly (forms, calls, emails, website submissions)

  • Lenders and finance providers

  • Credit reference agencies and fraud prevention agencies

  • Publicly available sources

  • Technology and service providers

5. Lawful Basis for Processing

We process your personal data under one or more of the following lawful bases:

5.1 Performance of a Contract

  • To assess, arrange, and administer credit and finance products.

5.2 Legal Obligation

  • To comply with FCA rules, anti-money laundering laws, fraud prevention obligations, and record-keeping requirements.

5.3 Legitimate Interests

  • To manage our business, prevent fraud, improve services, and communicate with you, provided your rights do not override our interests.

5.4 Consent

  • For marketing communications or where required for special category data.

5.5 Special Category Data Conditions

Where special category data is processed, we rely on:

  • Explicit consent, or

  • Substantial public interest (e.g., preventing fraud or supporting vulnerable customers).

6. How We Use Your Personal Data

We use your personal data to:

  • Assess eligibility and arrange credit or finance products

  • Verify your identity and prevent fraud

  • Communicate with you about applications and services

  • Comply with legal and regulatory obligations

  • Improve our services and systems

  • Conduct marketing where permitted

7. Automated Decision-Making and Profiling

We may use automated systems and profiling to:

  • Assess creditworthiness and affordability

  • Detect fraud and financial crime

You have the right to request human intervention and to challenge automated decisions where applicable.

8. Data Sharing and Disclosure

We may share your personal data with:

  • Lenders, finance providers, and funders

  • Credit reference agencies and fraud prevention agencies

  • Regulators, including the FCA and Information Commissioner’s Office (ICO)

  • Professional advisers (e.g., auditors, legal advisers)

  • IT and cloud service providers

All third parties are required to process your data securely and in accordance with data protection laws.

9. International Data Transfers

Some of our service providers may process data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, such as UK International Data Transfer Agreements (IDTAs) or adequacy decisions.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes we collected it for, including legal and regulatory requirements. Typical retention periods include:

  • Credit application and customer records: at least 5–7 years after the end of the relationship

  • Anti-money laundering records: 5 years after the end of the relationship

  • Marketing records: until consent is withdrawn or objections are raised

Data is securely deleted or anonymised when no longer required.

11. Your Data Protection Rights

You have the right to:

  • Access your personal data (subject access request)

  • Rectify inaccurate or incomplete data

  • Erase your data (where legally permissible)

  • Restrict processing of your data

  • Object to processing based on legitimate interests or for direct marketing

  • Withdraw consent at any time (where processing is based on consent)

  • Data portability (receive your data in a structured, commonly used format)

  • Lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk)

To exercise your rights, contact us using the details in Section 2.

12. Security of Your Data

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Access controls and authentication

  • Encryption and secure storage

  • Regular system monitoring and testing

  • Staff training on data protection and security

13. Data Breaches

In the event of a personal data breach, we will assess the risk and notify the ICO, affected individuals, and relevant regulators (including the FCA) where required by law.

14. Marketing Communications

We may send you marketing communications where permitted by law. You can opt out at any time by contacting us or using unsubscribe links in emails.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The latest version will be available on our website or upon request.

16. Contact Us

If you have any questions about this Privacy Policy or how we use your personal data, please contact:

Email: finance@groupzenith.com
Telephone: +44 (0)1902 810 520
Address: 15 Pitt Street, Wolverhampton, WV3 0NF, United Kingdom

This Privacy Policy is intended to meet the requirements of the UK GDPR, Data Protection Act 2018, and relevant FCA regulatory expectations for a UK regulated credit intermediary.