Our Privacy Policy

Privacy Policy

Last updated 23 June 2026

Noggin Privacy Policy

This privacy policy (“Privacy Policy”) describes how and why Noggin HQ Ltd (“Noggin”, “We”, “UsorOur”) collects, uses, shares and protects personal data in connection with:

Credit Reference Agency Information Notice (CRAIN)

As a Credit Reference Agency, this Privacy Policy acts as a Credit Reference Agency Information Notice (CRAIN) to explain how we, and the lenders we work with, process and share personal data to maintain and share an individual’s creditworthiness record. This notice ensures transparency regarding the sharing and use of your financial data.

About us

Noggin HQ Ltd is registered in England and Wales (company number 13409453) with its registered office at Toffee Factory Lower Steenbergs Yard, Walker Road, Newcastle Upon Tyne, England, NE1 2DF. Noggin HQ Ltd is authorised and regulated by the Financial Conduct Authority (FRN: 993735).
We are registered as a fee payer with the UK’s Information Commissioner’s Office (www.ico.org.uk) (registration reference: ZB234886). If you have any questions relating to this Privacy Policy or how we process your personal data, please contact our data protection officer at support@nogginhq.co.uk or write to Noggin HQ Ltd, Toffee Factory Lower Steenbergs Yard, Walker Road, Newcastle Upon Tyne, England, NE1 2DF.
Noggin HQ Ltd is the Data Controller for the processing described in this Privacy Policy, unless we tell you otherwise. This means we decide how and why your personal data is used, and we are responsible for ensuring it is handled in accordance with data protection law.
If We process your data under instruction from another organisation, such as a lender or account information provider, they will usually act as the Data Controller and that organisation’s privacy notice will also apply to the way it collects and uses your data.
We are committed to safeguarding the privacy and security of your data when using our services.

Who this notice applies to

This Privacy Policy applies to individuals whose personal data is processed by Noggin including in the following circumstances:
  • where Noggin processes personal data in connection with the provision of services to lenders or other third parties
  • where individuals visit or interact with the Website
  • where individuals create or manage an NHQ account
  • where individuals provide information directly to Noggin
  • and where individuals contact Noggin in relation to statutory credit report requests, subject access requests, complaints, or other queries.
This Privacy Policy does not apply to any personal data we collect about Noggin employees, job applicants and independent contractors.

Data We Collect

We collect personal data directly from you, e.g., via the Website, and from third parties, such as partners who use Noggin's services to provide their products to you ("Product Partners")

Data obtained directly from you

If you use the Noggin Website to submit information, create an NHQ account, or contact us directly, we may collect:
  • Contact information, such as your first and last name, email address(es), residential address and telephone number(s).
  • Identification information, such as your date of birth, nationality, marital status, title. In some instances, if you require copies of sensitive data, we may require photographic ID and proof of address, to verify your identity.
  • Profile data, such as your username and password(s), your interests, preferences, feedback and survey responses.
  • Online identifiers: Such as IP address and device type.

Data obtained from third parties

We may receive personal data about you from lenders, Product Partners and other organisations involved in your application, account or service journey. This includes the following:

Lenders and Product Partners

Partners typically share data, including Open Banking and transaction data with us on an ongoing basis, during the service agreement.
This may include:
  • Bank account balances,
  • Income and salary payments,
  • Regular expenditure,
  • Direct Debits and Standing Orders,
  • Transaction histories,
  • Overdraft usage,
  • Returned payments,
  • Gambling indicators,
  • Cash flow patterns,
  • Affordability indicators.
  • Employment information
We do not obtain:
  • County Court Judgment (“CCJ”) data,
  • Insolvency records,
  • Electoral roll information,
  • Traditional credit bureau repayment histories,
  • or historic credit file data from third-party credit reference agencies unless separately stated.

Sensitive data, also known as ‘Special Category Data’

Noggin does not collect special category personal data or criminal offence data for its core risk-scoring service.

Cookies

We may also collect certain personal data automatically through cookies and similar tracking technologies when you access our Website.
Cookies can be ‘strictly necessary’, such as those required to protect our website. We also use ‘non-essential’ cookies
We use Google Analytics cookies to:
  • Send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels.
These cookies are non-essential cookies and we rely on consent to collect behavioural data. For more information about our use of cookies, or to change your consent preferences, please see our Cookie Policy: https://www.nogginhq.com/business/cookie-policy

How we use your data

We use Open Banking and statement data to:
  • generate affordability assessments,
  • create financial behaviour indicators,
  • generate credit and risk scores,
  • support lending and responsible affordability decisions,
  • help detect fraud or financial crime,
  • verify income and expenditure information.
Our assessments may be used by lenders and other authorised organisations when deciding whether to:
  • offer credit,
  • set credit limits,
  • assess affordability,
  • or manage existing customer relationships.

Lawful Bases for Processing

How we may use your informationLawful basis for processing
To verify your identity and serve you:
We process contact, identity, matching and profile data (such as your name, date of birth, email address, postal address, previous names, address history, identity documents, and your username and password where you hold an NHQ account) to:
  • verify your identity and match records to an application or consumer request;
  • communicate with you about data that has been shared with a Product Partners or about a statutory credit report or other request;
  • prevent fraud or misuse; and
  • where you create an NHQ account, manage, run and administer that account.
To comply with a legal obligation: UK/EU anti-money laundering laws, Financial Conduct Authority rules and HMRC requirements oblige us to verify identities and take steps to prevent fraud and financial crime.
To perform our contractual obligations: Where we provide a direct service to you, we process your data as necessary to perform our contract with you.

Consent: Where required for particular identity checks or the processing of sensitive data.
Legitimate interest: We have a legitimate interest in operating Noggin’s services, maintaining accurate records and preventing fraud or misuse.
To assess credit risk and support lending decisions:
We process application and product data (such as product type, loan size, application details and model version) to:
  • generate or support credit risk scores and probability of default assessments;
  • assess eligibility and affordability;
  • keep decision records and track the model version used for a decision;
  • support statutory credit reports; and
  • carry out analytics and performance monitoring.
To comply with a legal obligation: We are required to maintain records of credit assessments and to support statutory credit reporting.
To perform our contractual obligations: Where the processing is needed to provide a service requested by you or the contracting party e.g. a Lender.
Legitimate interest: We have a legitimate interest in operating our credit risk-scoring and analytics services, supporting responsible risk assessment on behalf of lenders, and maintaining accurate decision records. These interests are central to Noggin’s business.
To analyse financial behaviour and generate risk assessments:
We process account and transaction data (such as account reference, institution name, names on account, account type, account subtype, current balance, transaction date, description and amount) to:
  • analyse financial behaviour, including rent payments, income streams and borrowing activity;
  • generate or support credit risk scores;
  • verify account or income information;
  • match records and support statutory credit reports;
  • detect fraud; and
  • carry out analytics and performance monitoring.
To comply with a legal obligation: Where required to support statutory credit reporting or fraud prevention.

Consent: Where account information is made available via Open Banking, we rely on your consent as our lawful basis.
Legitimate interest: We have a legitimate interest in accurately assessing creditworthiness and identifying financial behaviour patterns relevant to responsible lending decisions.
To monitor account performance and validate our models:
We process repayment and performance data (such as account type, start date, close date, monthly payment, repayment period, current balance, account status codes, credit or overdraft limits, credit turnover, default information and related reporting fields) to:
  • monitor account performance against standard reporting requirements;
  • validate and improve our credit scoring models;
  • support statutory credit reports;
  • investigate disputes; and
  • carry out analytics, performance monitoring and, where relevant, fraud detection.
To comply with a legal obligation: We are required to maintain accurate records and support statutory credit reporting.
Legitimate interest: We have a legitimate interest in validating and improving our credit scoring models to ensure they remain accurate, fair and effective. Performance monitoring helps to identify early signs of financial difficulty or fraud.
To respond to your requests and provide support:
We process communications, statutory credit report, subject access request and support data (such as the content of your messages, your request details, declarations and supporting identity documents) to:
  • match records to a statutory credit report or subject access request;
  • verify your identity;
  • respond to requests, complaints and queries;
  • determine the right team to handle an issue;
  • communicate with you; and
  • support regulatory reporting and analytics.
To comply with a legal obligation: We are legally required to respond to statutory credit report requests, subject access requests and regulatory enquiries within prescribed timeframes.
To perform our contractual obligations: Where we need to respond to a service request you make.

Legitimate interest: We have a legitimate interest in communicating effectively, handling complaints efficiently and maintaining records for regulatory and analytical purposes.
To operate, secure and improve our Website:
We process technical, device and usage data (such as your IP address, browser and device information, cookie preferences, operating system, page response times, download errors, the websites you visited before coming to our Website and other browsing information) and profile data (such as your interests, preferences, feedback and survey responses) to:
  • operate, secure and improve our Website and digital services;
  • manage log-in or access;
  • understand how users interact with our platform;
  • personalise your visit to our Website and assist you while you use it; and
  • improve our suggestions to you and other users about products that may be of interest.
Legitimate interest: We have a legitimate interest in ensuring our Website operates securely and efficiently, understanding user interactions, and making improvements.

Consent: Where cookies or similar tracking technologies require your consent under applicable law, we will obtain it before placing them on your device. You may amend your cookie preferences at any time; please see our Cookie Policy.
To market our services and deliver advertising:
We may process your personal data to:
  • contact you about our services which we believe may interest you, unless you inform us that you do not wish to receive marketing or market research communications; and
  • deliver tailored advertising on third-party websites based on your interests.
Consent: Where we send marketing communications or deliver tailored advertising using cookies or similar technologies, we do so with your consent. You can opt out at any time by clicking on unsubscribe links in any marketing email or by contacting us. You may amend your cookie preferences at any time; please see our Cookie Policy.

Legitimate interest: We have a legitimate interest in promoting our services to individuals who may benefit from them. Where we rely on legitimate interest for marketing purposes, you have the right to object at any time, and we will promptly cease such processing.
To protect our business and comply with legal and regulatory obligations:
We may process your personal data to:
  • share personal data with third parties that acquire or are interested in acquiring all or part of our assets or shares, or that succeed us in carrying on our business;
  • perform general, financial and regulatory accounting and reporting; and
  • comply with regulatory obligations, including fraud prevention and statutory credit reporting.
  • establish, exercise or defend legal claims;
To comply with a legal obligation: We are subject to legal and regulatory obligations relating to fraud prevention, statutory credit reporting, accounting and financial reporting.

Legitimate interest: We have a legitimate interest in protecting our business and by sharing data in connection with corporate transactions, provided appropriate safeguards are in place.
To establish, exercise or defend legal claims: We may process your personal data to establish, exercise or defend legal claims.
In relation to the proposed or actual sale, restructuring or merging of any or all parts of our business:
We may process your personal data in order to:
  • facilitate the sale, transfer, or merger of all or part of our business or assets; or
  • facilitate our acquisition of, or merger with, another business.
To comply with a legal obligation: We are subject to legal disclosure requirements when engaging in processes to sell our business or buy other businesses.
Legitimate interest: We have a legitimate interest in being able to sell, transfer or restructure our business.

Who we share personal data with

We may share personal data with the categories of recipients described below, where this is necessary for the purposes set out in this Privacy Policy. Some of these recipients act as processors on our behalf, while others act as controllers for their own purposes.

Lenders and Financial Institutions

This includes the lender or prospective lender involved in your application or account, our Product Partners, banks or account providers, and payment or verification partners.

Product Partners

This includes partners who use our transaction categorisation and enrichment service to provide you with their products or services.

Service Providers

We may share personal data with service providers that help us operate our business, including third-party providers such as cloud hosting providers, analytics providers, communications providers, customer support providers, identity verification providers, fraud screening providers, document management providers and professional advisers (such as accountants and lawyers). Access by service providers with respect to Open Banking will be limited to what is reasonably necessary for them to perform their function, and we require them to protect the confidentiality and security of the data they process for us.

Regulators or Government Authorities

We may share personal data with regulators, courts, tribunals, government bodies, law enforcement agencies and other public authorities where this is required by law, required for regulatory reporting, or necessary to protect rights, safety or the integrity of our systems and services. For example, the Financial Conduct Authority or Financial Ombudsman Service.

Investors and Interested Parties

We may also share personal data with actual or potential acquirors, investors, insurers, funders, advisers or other interested parties in connection with a merger, acquisition, financing, restructuring or sale of all or part of our business or assets, or that succeeds us in carrying on all or part of our business, provided appropriate safeguards are in place.

Fraud prevention

Where necessary, we may share personal data with fraud prevention agencies, law enforcement agencies and other organisations involved in preventing, detecting and investigating fraud, money laundering and other crime.
We do not share traditional credit file information because we do not maintain traditional consumer credit files.

Automated Decision Making and Profiling

We use automated systems and profiling techniques to analyse transaction data and generate risk related insights and scores.
These assessments may contribute to decisions that affect you financially.
You have rights under UK GDPR relating to:
  • automated decision making,
  • correction of inaccurate data,
  • and objection to certain processing activities.
You may request human review of a decision made solely by automated means where applicable.

8. International transfers

Noggin is a UK-based company and we expect the majority of our processing to take place in the UK. However, we may transfer data to vendors, service providers and other recipients located outside the UK, where personal data protection laws may be less strict than in the UK.
Where we transfer personal data to recipients outside the UK, we will take appropriate precautions to protect your data and ensure that any transfers comply with UK Data Protection Legislation. This may include the use of UK IDTA, SCCs or alternative safeguarding measures.

Keeping Data Secure

Noggin is committed to keeping your data secure. We take appropriate technical and organisational measures to protect your personal data, such as encrypting data, use of MFAs, and Role-Based Access Controls. We continually monitor and review our security controls.

How long we keep your data

We retain personal data for as long as is necessary to fulfill the purposes described in this Privacy Policy, and as permitted or required by applicable law. This may be up to 6 years, in order to comply with HMRC rules or to comply with legal and regulatory requirements.

Anonymised and aggregated data

We may use anonymised and aggregated data, which does not directly or indirectly reveal your identity, to conduct research and analysis, produce statistical reports, and generally improve our services. We will not use anonymised or aggregated data in a manner that could reasonably permit the re-identification of any individual.

Statutory credit reports

A statutory credit report is a report prepared by Noggin, acting as a Credit Reference Agency, containing information relating to the creditworthiness, credit history or financial standing of an individual or entity.
You may request a copy of your statutory credit report free of charge. We will usually require identity verification in order to provide this, in order to safeguard your data.

Your rights

Subject to applicable law, and in relation to the personal data we hold about you, your rights include:
  • Access and information: You may request access to your personal data and information about how we use it.
  • Rectification: You may ask us to correct inaccurate or incomplete personal data.
  • Erasure: In certain circumstances, you may ask us to erase your personal data, where we do not have a legitimate reason to retain this.
  • Restriction: You may ask us to restrict how we use your personal data.
  • Objection: You may object to processing based on legitimate interests.
  • Portability: You may receive certain personal data in a structured, commonly used and machine-readable format.
  • Withdrawal of consent: Where we rely on your consent, you may withdraw it at any time, though this will not affect the lawfulness of prior processing.
  • Automated Decision Making: You have the right to object to any automated decision making
These rights are not absolute. We may refuse or limit your request if we have a lawful basis to do so, such as: where we need to comply with applicable law, protect the rights of others, preserve legal privilege, prevent fraud, or establish, exercise or defend legal claims.
To exercise any of these rights, please contact us at: support@nogginhq.co.uk or write to Noggin HQ Limited, Toffee Factory Lower Steenbergs Yard, Walker Road, Newcastle Upon Tyne, England, NE1 2DF. We may request information to verify your identity before acting on your request. We will respond in writing within 1 month of receipt of identity verification documents, though in exceptional cases we may extend this by up to 2 further months, with reasons. We may also need to request further information to trace any personal data we hold about you.
We do not usually charge for this, however, in cases where the request is excessive or repetitive we may charge a fee.
Open Banking Data
You may withdraw consent to sharing your Open Banking data with us at any time via your NHQ account.
Complaints
If you wish to raise a complaint regarding the way Noggin handles your personal data, marketing or responses to rights requests, please contact us at: support@nogginhq.co.uk or write to Noggin HQ Limited, Toffee Factory Lower Steenbergs Yard, Walker Road, Newcastle Upon Tyne, England, NE1 2DF.
We will acknowledge receipt of your complaint without undue delay, and usually within 5 working days. Your complaint will be reviewed impartially and you will receive a response, advising of the outcome of your complaint and any reason behind the outcome.
You also have the right to lodge a complaint with the Information Commissioner’s Office if you are unhappy with the outcome of your complaint or believe that your personal data has been handled in a way that does not comply with data protection law: www.ico.org.uk

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Please refer to this Privacy Policy on an ongoing basis so you understand our current privacy practices.
Privacy Policy | Noggin