As a personal or business banking customer, we take your privacy seriously. Here, you can learn more about your data protection rights and how we collect, use, share and store your personal info.
That includes info we already hold about you now and further personal info we might collect about you, either from you or someone else. How we use your personal info depends on the accounts and relationship you have with us.
Our Data Protection Officer (DPO) provides help and guidance to make sure we protect your personal info and we use it in the right way. If you have any questions, you can contact our DPO (see section 13 “Getting in touch”)
This Privacy Notice will replace any previous notice we’ve given you. If we make any important changes to it we’ll get in touch to let you know.
When we say ‘Group’ we mean Virgin Money UK PLC, Clydesdale Bank PLC, each subsidiary or holding company of Virgin Money UK PLC. You can find out more about the companies within the Group in the Legal and Privacy section here.
The following are the ‘data controllers’ within the Group that collect and use personal info. When we say ‘we’ or ‘us’ in this notice we are referring to:
- Clydesdale Bank PLC
- CYB Intermediaries Limited
- CGF No 9 Limited
- Clydesdale Bank Asset Finance Ltd
- Clydesdale Covered Bonds No 2 LLP
- Virgin Money UK PLC
- CYB Investments Ltd
- Virgin Money PLC
- Virgin Money Unit Trust Managers Ltd
- Virgin Money Personal Financial Service Ltd
- Virgin Money Management Services Ltd
- Virgin Money Holdings (UK) PLC
- Yorkshire Bank Home Loans Ltd
We collect info directly from you and others.
We get info:
- Directly from you – for example, in applications, emails, letters, phone calls and conversations in Store (including info given by someone else, like an employer, financial adviser or accountant).
- Through you attending events in our Stores and Lounges, entries into our competitions, surveys, promotions, and conversations with us on social media.
- By looking at how you use our products and services, or those of other members of our Group. For example, from transactions and how you manage your accounts and services. This includes the use of artificial intelligence or machine learning to analyse aggregated/combined datasets, to make forecasts/projections of earnings and cash flow and improving a service or systems in terms of machine learning or analytics cookie use. Info will be used for the development and deployment of the machine learning.
- From others who know you – including joint account holders and people you’re linked to financially.
- By looking at how you interact when using your device. This could be the use of your keyboard, mouse and/or the way you hold your device – this is called “Behavioural Biometrics”.
- From your use of our websites or applications, including through cookies that collect info about your internet use.
- From recorded images (like CCTV in our Stores) and calls. We’ll record or monitor phone calls with you for regulatory purposes and training, to improve our service, to make sure our colleagues and customers are safe and to sort out any issues. We also use CCTV on our premises for the safety and security of everyone.
- Credit reference agencies (like Experian) and fraud prevention agencies (for example, CIFAS).
- Payment card networks, like Mastercard.
- Price comparison websites.
- Insurance companies.
- Advertisers, Social media networks and companies that do market research and look at stats and analyse your behaviour (like Google and Facebook).
- The Government and their agencies – for example, HM Revenue & Customs, Financial Conduct Authority, Business Banking Resolution Service, The British Business Bank and Companies House.
- Public records (like the electoral roll) and other public sources, including internet searches.
- Other companies that provide a service to us – for example, surveyors and lawyers.
- Marketing Services Providers – these are companies that collect personal data from a number of sources for the purposes of creating profiles of customer groups.
- Other third parties who are allowed to share info with us.
- Other third parties who you have chosen to connect to your Virgin Atlantic Credit Card account (e.g. Virgin Red in your Virgin Money Wallet).
We’ll also look at and combine the info collected (sometimes automatically) to understand how you use your account and our services. It also helps us understand what you may like and do. We may create a profile of you to help us predict your financial behaviour and what you prefer before offering services to you (‘profile info’).
Some of our products and services need you to allow third parties to share info with us. This may be combined with other info we hold and have analysed so we can provide that product or service. Please check out section 5 “Why we need the info and what we use it for” for more details.
Data Protection law means we need to have one or more of the following reasons for using your info:
- ‘Contract performance’ – where we’ll use your info to provide you with your account, product or service (for example, we’ll use your name and address to post an account statement to you).
- ‘Legal obligation’ – this is where we must process your info by law (for example checking you are who you say you are).
- ‘Legitimate interest’ – we’re allowed to use your info where, on balance, the benefits are reasonable and not outweighed by your interests or legal rights – for example, we have an interest in knowing what our customers like and don’t like so we can offer better products and services.
- ‘Consent’ – sometimes, we may ask you for your consent or permission to use info in a certain way or where the law states we must get your permission. For example, if you agree to us recording something about your health so we can improve the way we communicate with you. Whenever permission is the only reason for us using the info, you have the right to change your mind. To do this, just contact us – head to section 13 to find out how.
Using your info
These are the main ways we'll use your info and the reasons for doing so.
The law requires that we must check the identity of new customers and for business customers the verification of key individuals of such customers. The law also requires us to re-check the identity of existing customers from time to time. This is so we know who our customers are and to make it more difficult for criminals to use false or impersonated identities, for criminal purposes like hiding the proceeds of crime or committing fraud. To check your identity, we’ll check the contact details and financial info you give us with credit reference agencies and against publicly available info. We’ll also check you’re eligible for the product or service we’re offering.
We’ll use your info to manage any account, product, service or relationship you have with us. This’ll be done in line with the terms of that arrangement and the rules of our regulators. Examples of this are:
- Management of your account including:
- Allowing payments to and from you.
- Keeping info about your transactions and sending your account statements.
- Telling you about your account and your relationship with us, including letting you know any changes to interest rates, limits or charges.
- Sharing your name and some account details with a person or organisation before a payment can be made to your account.
- Linking you to your Virgin Red account where you have asked us to do that in your Virgin Money Wallet.
- Helping to fix mistakes and sort out any problems or complaints you may have.
- Manage any offers or promotions you take part in.
- Closing your account.
To do this, we’ll use your contact details, the payment details you’ve given us and your location data to enable us to check locations where payments are made (this is to prevent fraud). If you’ve agreed to it, we’ll also use mobile location services and your IP address to identify you for security and to stop fraud.
We may also share this info with third parties who help us confirm your contact details and deliver our products and services – this could be our payment providers, subcontractors, service providers for ATMs and cash management and other banks and regulators.
We might use info to manage any business internet banking money management services provided to business banking customers. Our money management services use machine learning to give you forecasts and predictions:
- This provides a simple forecast of revenue for the next three months using the info you’ve given us and other info across the platform (including previous info). For example, daily and monthly revenues, industry type, size and location.
- The forecasting tool gives a prediction of future cashflow using all the transactions, invoices and other financial info that cause your bank balance to change. It then looks back to find different patterns and trends that it can use to forecast your cashflow. It works directly from your cash movements rather than your profit and loss or balance sheet. This means it can consider individual customers and suppliers to make accurate forecasts right down to daily cash movements.
We have a legitimate interest in only lending money to customers we think can pay it back. Our regulators also require us to lend money in a responsible way.
So, whenever you apply for credit (for example, a mortgage, credit card or overdraft) or any extra borrowing on a product you’ve taken out, we’ll use the info you give us and what we already know to work out the risk to us.
We’ll also get info from credit reference agencies to do credit scoring and/or other risk assessments of your application.
Credit scoring is an automated way of making fair and responsible decisions about lending money and managing your accounts. We use it to assess how you are likely to run your account and by using info from a range of sources it allows us to decide on whether we’re going to offer you a product or service or make any changes to any ones you have.
To calculate a credit score, we use:
- Info you provide about your credit history.
- Info about anyone you’re financially linked to (like your partner).
- Info we get from credit reference agencies (including, but not limited to, those shown in Appendix 1).
- Details about how you’ve used other products and services you have with us or the Group (for example, how you’re making repayments on other credit products).
- Info we received about you from other third parties, including when you let us access accounts you have with other banks, as an account service provider.
We’ll confirm where we’ve used credit assessment. If there’s been a change to your credit limit or interest rate based on our credit assessment process, you can ask one of our team to assess it again. For more info see the section ‘When we make automated decisions’ below.
See section 7 for more about sharing info with credit reference and fraud prevention agencies.
By law, we must review applications and monitor accounts. This helps us tackle threats from terrorists, money-laundering and other financial crimes. We also have a legitimate interest in avoiding losses caused by financial crime like fraud. We may share info with law enforcement agencies and other official bodies or government departments to comply with our legal obligations (like tax and immigration authorities).
We may also check and share info we’ve got about you – like your contact details and financial info – with fraud prevention agencies, credit reference agencies, law enforcement, other government agencies, different banks and regulators. This is to help stop financial crime and terrorism funding. To do that, we’ll use any info you’ve provided, as well as info we’ve got from a third party. We’ll also see how you use our services for more info.
This includes your name, address, date of birth, every country of residence/citizenship, personal identification (which may include passport or driving license number), your IP address and details of any criminal convictions. This might also include info about your location, which helps prevent crime and fraud.
We use your info in this way because it is necessary to perform our contract with you. It is also in our legitimate interest to recover any debts that are owed to us if there isn’t a plan in place to pay it back.
We’ll use your contact details and info we’ve got from seeing how you’ve used our services (including info about your location that we may find from reviewing your accounts). We’ll also use info available within the Group about how you’ve used services from other Group members.
To get a debt paid back, we’ll share info with and receive info from third parties where we have to. This might even include legal proceedings. Examples of third parties include other banks, debt recovery agents, solicitors, credit reference agencies and sheriff officer or bailiff services.
This might also include sharing info about you with a third party who we’ve moved your debt to e.g., securitisation. We’ll tell you who they are and they’ll contact you directly to collect that debt.
We have a legitimate interest in improving how we offer our services and the security of the computer systems we use. We also have to respond to any law changes or rules that affect how we protect the info, that we hold.
We may use your info to help us develop and test our systems, including new technologies and services. This is to make sure they’re safe and secure and will work the way we want them to. When we do this, we’ll use processes and technologies that are designed to keep this info secure.
The range of products and services we offer, including those from companies outside the Virgin Money UK PLC Group, changes all the time.
We have a legitimate interest in telling you about products, services and any new developments we think may interest you, where we’re allowed to. For some of our marketing, including letting you know about the products and services of other companies, we’ll ask for your permission first.
We don’t want to send on too much info or anything that’s not right for you, so we’ll use the info we already have, particularly profile info, to decide what we talk to you about. This includes telling business customers who meet certain scores that they may be able to apply for Sustainability Linked Loans.
You have the right to tell us at any time if you don’t want us to use your info in this way.
We’ll only get in touch in the ways you’ve said we can. For example, a phone call, text message or post. If you’ve said you don’t want to see any marketing, you won’t. You can opt in or out at any time to marketing by contacting us in the usual way (see section 13 for our contact details).
If you are happy to receive marketing, we want you to see the things that are right for you, at the right time. The best way for us to do this is to use automated processes to create a profile for you for marketing purposes. We do this by using:
- The info you’ve given us.
- Details about how you’ve used other products and services you have with us or the Group.
- Any feedback you’ve given us.
- Info we’ve got from credit reference agencies (including, but not limited to, those set out in Appendix 1).
- Info from other companies we’re partnering with (including, but not limited to, those shown in Appendix 3).
We might get info about you from a third party to help us market our products and services to you. But we’ll only do this if you’ve given them permission to share your info with us.
We might also ask you for permission to show marketing from Virgin Red as part of your Virgin Money Wallet app, both inside the app and in push notifications.
We may also get your name and address from other companies to help us offer services that are right for you. Our manual or automated processes analyse this info to decide what products and services to offer to you and to prioritise the marketing messages you receive.
We do this by:
- Working out which products and services you can have.
- Seeing if they’ll be useful to you.
- Deciding how likely you are to reply.
We may also get info telling us if you’ve opened or clicked on an email, the type of device you’re using and your general location when you opened the email.
Our service providers will help us with these marketing activities. The partners we give your info to might use it for marketing profiling.
Sometimes we work with other companies to offer you the best products and services. We’ll sometimes share your information with our partners, and get info about you too, to make sure that we give you the best, most relevant offers when we market to you (if you have given permission).
See Appendix 3 for a list of our partners and Appendix 4 for the types of suppliers we use.
We have a legitimate interest in running our business as well as possible while also sticking to our legal and regulatory responsibilities to the UK financial system.
Therefore, we may use your financial info, including how you’ve used our products and services, for the following reasons:
- To see how well our marketing is working.
- To train our team.
- To spot trends or behaviours.
- To check performance indicators.
- To work out the profitability (or other indicators) of a product, service, sector or part of it when compared to others to help us with our future strategy.
- To report to and communicate with regulators, auditors and government agencies.
- To help the preparation and confidential sharing of info that supports our funding and other activities. For example, the sale or transfer of our interests in some of our mortgage or credit card accounts or where we may want to reorganise some or all our businesses through a merger, transfer or sale.
We may pass your info to market research companies and others who help us with these activities.
Sometimes, we’ll use artificial intelligence to help us understand trends, behaviours and predict general patterns. For example, to see how well our marketing is doing.
We may also use your info for other things you’ve agreed to, as well as some situations where the law asks or requires us to.
We have an interest as well as a legal duty to support vulnerable customers. That’s why we’ll use any info you give us, and what we can see from your transactions, that might show a vulnerability. For example, a health condition or money worries.
We’ll also use info we get about vulnerable customers from other members of our Group if we need to protect their interests. Plus, we’ll give info to third parties about vulnerability to meet our legal duties. This might be to the police, social services or someone acting on your behalf.
We’ll give info to and get info from third party independent financial advisers and mortgage brokers who’ve introduced you to us.
This is so we can provide products and services to you and manage our relationships with those third parties, including paying any fees.
To do this, we’ll use info about the general nature of the products and services, as well as info about the value of those products and services
To provide you with mortgage products and some insurance products, as well as the info already listed above, we’ll need to use extra info about your needs and situation. This is to make sure the products and services are right for you.
For mortgages, this’ll include info about your income and spending, assets and liabilities and your planned retirement age.
For life and critical illness, this’ll include your date of birth, if you smoke or not and details of current policies. Plus, info about how you’ve used other products and services offered by us or other Group members. This will include previous claims under any current policies you have with us, as well as with other providers.
We might share all the info we use with third parties who help us to give the best advice possible. These third parties include credit checking and fraud prevention agencies and our insurance provider partners.
See Appendix 1 for a list of the credit reference and fraud prevention companies we use and Appendix 2 for a list of our insurance provider partners.
We use your info like this because it’s in both of our interests for you to get advice about the right products and services. It’s also so we stick to the rules of our regulators.
We sometimes use computers to make decisions. We do this when:
- Assessing your eligibility for products and services. We’ll analyse and combine the info collected to create a profile of you to understand the way you use your account (or how we think you might use your account) and our services as well as what you might like and what you might do. We use this to decide whether to offer you certain products and services.
- Deciding whether to lend money. We use credit scoring to help us make fair, responsible, and consistent decisions about lending money and managing your account(s). We use credit scoring to decide:
- whether we provide a product or service to you;
- whether to adjust products or services you have (like increasing or decreasing credit limits or interest rates);
- to pre-approve future products or services for you;
- to authorise overdraft limits;
- to authorise payments from you; and
- in some cases where we need to recover a debt from you
- Creating a profile of you for marketing purposes (but only where you’re happy to be contacted with marketing). This helps us make sure you get the most relevant info about the products and services that will be the most beneficial to you, at the right time. It also helps us decide how likely you are to respond. To do this, we use:
- info you give to us;
- details about how you have used other products and services you have with us or the Group;
- any feedback you have given us;
- info we have obtained from credit reference agencies (including, but not limited to, those set out in Appendix 1); and
- info from other companies we are partnering with (including, but not limited to, those set out in Appendix 3).
- To assess payments to your account to identify any that look unusual and that are potentially fraudulent. We take into account various elements of the payment like billing address, IP location, issuer country, and velocity checks on how many times the card has been used globally and assign a score to each payment and where the score is above a certain threshold the payment will not be processed.
When we make automated decisions, we look at look at how you’re likely to run your account, using info from a range of sources (see section 4 “Where we collect info from”). Where we make automated decisions you can always ask for a member of the team to review the outcome.
Special protection is given to special categories of info and criminal offence info.
We’ll only use special categories of info if we have one or more of the following additional reasons for using your info:
- ‘Explicit consent’ – where you have given us explicit consent to use the info.
- ‘Vital interests’ – where we need to protect your vital interests e.g. if you have a severe and immediate medical need whilst on our premises.
- ‘Public interest’ – where it is in the substantial public interest.
We’ll only use criminal offence info where the law allows us to for example for the purposes of preventing or detecting crime.
Using special categories info
We use the following special categories info for the reasons below:
- If you apply for a health-related insurance product, we’ll need your info to provide you with services that are right for you.
- If we identify that you have a health-related vulnerability, we’ll share that in our organisation to the extent needed to protect your interests and offer you services that are suitable for you.
- If we need to provide you with urgent medical help when you’re on our premises.
- To make sure you’re treated fairly if you come into financial difficulties because of a vulnerability.
Some of our accounts use facial and other biometric recognition technology to help customers prove their identity when opening accounts. We’ll ask for your permission when setting this up.
By observing how you interact when using your device for example, the use of your keyboard, mouse and/or the way in which you hold your device, this is called “behavioural biometrics”. We also use behavioural biometrics to confirm your identity when you shop online with your debit or credit card. Behavioural biometrics is the use of machine learning to analyse patterns. This helps us stop fraud by making sure the person using the card is who they say they are.
We may ask you about your racial and ethnic background as we need to make sure everything is fair and equal when it comes to the service we offer.
We may use info about criminal proceedings relating to you when deciding to lend money to you, to help us prevent and detect financial crime and to fulfil our legal/regulatory obligations.
Sometimes the transactions in your bank accounts will reveal special categories info (like your political opinions, health status, religious beliefs and trade union membership), depending on payments you make and receive. This info may be processed by us to provide account payment services to you and will not be used for any other purpose.
We may need to share your info outside the UK and EEA with others. This can include Group companies, service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not offer the same protection as in the UK and European Economic Area e.g. USA.
For example, if you have a credit or debit card with us, we’ll share what you’ve spent with the payment network e.g. Mastercard, who may use this info worldwide. In these cases, we’ll do everything we can to make sure your info is protected to UK standards.
This could be by only letting transfers take place with countries the EU Commission thinks offer enough protection for your info (an adequacy decision) or, we’ve put our own measures in place to make sure there’s enough security as set out by data protection law.
These measures include having recognised safeguards in place with our commercial partners, like carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators like the EU style model clauses or where our commercial partner is a signatory to a recognised and binding code of conduct. For more info about standard contractual clauses as shown by the ICO, check out ico.org.uk and search for ‘International Transfers’.
To learn more about how your info is used in countries outside the EEA, the adequacy decision for that country or the measures we’ve put in place, please get in touch with our Data Protection Officer.
The United Kingdom left the European Union on 31 January 2020. So, we’ll need to transfer your personal info to the UK and other areas outside of the EEA, so you can continue to use our products and services.
Moving your personal data from the EU to the UK will take place based on an adequacy decision by the European Commission in favour of the UK, or on the basis of protections which comply with EU GDPR. We’ll also need to continue to act in line with EU GDPR when we process your personal data.
We’ll continue to keep your data secure, but if you’ve got any questions about how we use your info or your data rights and our obligations as a Data Controller, you can speak to our EU representative. If you want to write, the address is The Data Warehouse at Keizersgracht 482, 1017EG, Amsterdam, Netherlands. You can also email them at firstname.lastname@example.org.
If you’d like more info, you can contact our Data Protection Officer (see section 13. Getting in touch).
How long we keep your info for depends on what products and services you have with us. Just so you know, we won’t keep it any longer than we need to (see section 5 Why we need the info and what we use it for and section 6 Why we need special categories info and what we use it for).
This means we’ll continue to hold some info for a while after your account has closed or our relationship has ended. For example, where we need to for the regulator, for active or potential legal proceedings, to resolve or defend claims or for making remediation payments.
If you’d like more info, you can contact our Data Protection Officer (see section 13. Getting in touch).
We’ll get in touch with you about products and services we are delivering using the contact details you’ve given us. This might be by post, email, text message, social media and notifications on our app or website.
Where you have given us permission to send you marketing, you can cancel it and update your marketing choices in Store, by calling us, via online banking or through the Virgin Money app.
You can also update your contact preferences in Store, by calling us or through the Virgin Money app.
Head to uk.virginmoney.com/contact for all the contact info you’ll need.
The law guarantees you rights about how we use your info.
You can object to how we use your info. When this happens, we have up to one month to get back to you.
We’ll stop using the info unless there’s a good legal reason to do so (we’ll always tell you what that reason is).
Remember, you can stop getting marketing communications at any time. Just get in touch in the usual way to let us know.
You always have the right to ask whether we hold info about you. If we do, you have the right to know:
- What the info is.
- Why we’ve got it.
- The ways it’s used.
- Who we share it with.
- How long we keep it for.
- Whether it’s been used for any automated decision making.
You’re also allowed a free copy of the info. We can give it to you in person, online, over the phone, by email or by post.
We always want the info we have for you to be absolutely spot on (up to date and accurate). If any of it is wrong or out of date, let us know and we’ll fix it.
You can ask us to delete your info if you think we don’t need it anymore. This might be because:
- It’s not needed for the reason we collected it (see section 5 Why we need the info and what we use it for and section 6 Why we need special categories info and what we use it for).
- We held and used the info because we had your permission, which you’ve now taken back.
- You’ve already objected to the way we’re using your info.
- We’ve been using the info unlawfully.
- There’s a legal requirement for us to delete the info.
When you ask for info to be deleted, we have up to one month to get back to you. If we don’t go ahead and do it, we’ll tell you why.
You have the right to get some of the info you gave us in a machine-readable format.
In certain situations, you can block or limit the use of info by us. This may happen where:
- You’ve challenged the accuracy of the info is and we’re checking it.
- You’ve objected to how we use your info and we’re considering whether you’re right.
- We’ve been using your info unlawfully but you want us to continue to hold the info rather than delete it (see “Deleting info” above).
- We no longer need to keep the info but you’ve asked us to keep it because of legal claims you’re involved in.
If you’re unhappy with how we’re using your info, please visit us in Store or at uk.virginmoney.com/contact
If we can’t fix the issue, you can complain to the Info Commissioners Office (ICO). The ICO is the UK’s independent body set up to uphold your rights. You can find out more at www.ico.org.uk.
You can exercise any of your data protection rights by contacting us – see Section 13. Getting in touch.
You can exercise any of your data protection rights (like accessing your personal data) by emailing us at DSARCCA.Queries@cybg.com.
If you’d like to contact our DPO you can email Data.email@example.com or write to The team at Virgin Money, Sunderland, SR43 4JB.
List of our Credit Reference, Credit Rating, Debt Recovery and Fraud Prevention agencies.
|CreditSafe Business Solutions Limited
|TransUnion International UK Limited
|Dun & Bradstreet Limited
|Eunexus Pty Ltd
|AML Analytics Limited
|BAE Systems Applied Intelligence (UK) Limited
|DIA Europe B.V.
|Fiserv UK Limited
|National Hunter Ltd
|Apex Credit Management Limited
|Blue Stone Credit Management
|Fitch Solutions Limited
|Moody's Analytics UK Limited
List of insurance companies who provide insurance products for our customers.
|Aviva Insurance Limited
|Aviva Life & Pensions UK Limited
|AIG Europe Limited
|Lifestyle Services Group Limited
|U K Insurance Limited
|Hiscox Insurance Company Limited
|Legal and General Assurance Society Limited
|Hood Group Limited
|Hood Travel Limited
|Royal & Sun Alliance Insurance PLC
List of our third party partners.
|Third Party Partners
|Royal and Sun Alliance Insurance PLC
|Legal and General Assurance Society Limited
|Hiscox Insurance Company Limited
|The Royal London Mutual Insurance Society Limited
|Arthur J. Gallagher Insurance Brokers Limited
|Travelex Currency Services Limited
|Origen Financial Services Limited
|AIG Europe Limited
|Lifestyle Services Group Limited
|U K Insurance Limited
|Sodexo Motivation Solutions UK Limited
|Accelerated Payment Limited
|Bright HR Limited
|Virgin Red Limited
|UT Tax Limited
List of the categories of our suppliers.
|Categories of Suppliers
|Complaints Management Services
|Account monitoring and operation
|Debt Management Services
|Fraud Monitoring and Services
|Marketing Campaigns and Services
|Payment Systems and Services
|Regulatory Monitoring and Services
|Sales Monitoring and Services
|Travel and Events Services
|Credit Reference Agencies
|Information Security Services
|Physical Security Services
|IT Service Companies
|Business Management App Services,
|Accounting Software Services