Our Privacy Policy
Privacy Policy
Last updated 23 June 2026
Noggin Privacy Policy
This privacy policy (“Privacy Policy”) describes how and why Noggin HQ Ltd (“Noggin”, “We”, “Us” or “Our”) collects, uses, shares and protects personal data in connection with:
-
Our credit risk-scoring, analytics and any related services for lenders
-
Visits to and interactions with our website: https://www.nogginhq.com/ and https://www.nogginmobile.com/ (the “Website”).
Credit Reference Agency Information Notice (CRAIN)
As a Credit Reference Agency, this Privacy Policy acts as a Credit Reference Agency Information Notice (CRAIN) to explain how we, and the lenders we work with, process and share personal data to maintain and share an individual’s creditworthiness record. This notice ensures transparency regarding the sharing and use of your financial data.
About us
Noggin HQ Ltd is registered in England and Wales (company number 13409453) with its registered office at Toffee Factory Lower Steenbergs Yard, Walker Road, Newcastle Upon Tyne, England, NE1 2DF. Noggin HQ Ltd is authorised and regulated by the Financial Conduct Authority (FRN: 993735).
We are registered as a fee payer with the UK’s Information Commissioner’s Office (www.ico.org.uk) (registration reference: ZB234886). If you have any questions relating to this Privacy Policy or how we process your personal data, please contact our data protection officer at support@nogginhq.co.uk or write to Noggin HQ Ltd, Toffee Factory Lower Steenbergs Yard, Walker Road, Newcastle Upon Tyne, England, NE1 2DF.
Noggin HQ Ltd is the Data Controller for the processing described in this Privacy Policy, unless we tell you otherwise. This means we decide how and why your personal data is used, and we are responsible for ensuring it is handled in accordance with data protection law.
If We process your data under instruction from another organisation, such as a lender or account information provider, they will usually act as the Data Controller and that organisation’s privacy notice will also apply to the way it collects and uses your data.
We are committed to safeguarding the privacy and security of your data when using our services.
Who this notice applies to
This Privacy Policy applies to individuals whose personal data is processed by Noggin including in the following circumstances:
-
where Noggin processes personal data in connection with the provision of services to lenders or other third parties
-
where individuals visit or interact with the Website
-
where individuals create or manage an NHQ account
-
where individuals provide information directly to Noggin
-
and where individuals contact Noggin in relation to statutory credit report requests, subject access requests, complaints, or other queries.
This Privacy Policy does not apply to any personal data we collect about Noggin employees, job applicants and independent contractors.
Data We Collect
We collect personal data directly from you, e.g., via the Website, and from third parties, such as partners who use Noggin's services to provide their products to you ("Product Partners")
Data obtained directly from you
If you use the Noggin Website to submit information, create an NHQ account, or contact us directly, we may collect:
-
Contact information, such as your first and last name, email address(es), residential address and telephone number(s).
-
Identification information, such as your date of birth, nationality, marital status, title. In some instances, if you require copies of sensitive data, we may require photographic ID and proof of address, to verify your identity.
-
Profile data, such as your username and password(s), your interests, preferences, feedback and survey responses.
-
Online identifiers: Such as IP address and device type.
Data obtained from third parties
We may receive personal data about you from lenders, Product Partners and other organisations involved in your application, account or service journey. This includes the following:
Lenders and Product Partners
Partners typically share data, including Open Banking and transaction data with us on an ongoing basis, during the service agreement.
This may include:
-
Bank account balances,
-
Income and salary payments,
-
Regular expenditure,
-
Direct Debits and Standing Orders,
-
Transaction histories,
-
Overdraft usage,
-
Returned payments,
-
Gambling indicators,
-
Cash flow patterns,
-
Affordability indicators.
-
Employment information
We do not obtain:
-
County Court Judgment (“CCJ”) data,
-
Insolvency records,
-
Electoral roll information,
-
Traditional credit bureau repayment histories,
-
or historic credit file data from third-party credit reference agencies unless separately stated.
Sensitive data, also known as ‘Special Category Data’
Noggin does not collect special category personal data or criminal offence data for its core risk-scoring service.
Cookies
We may also collect certain personal data automatically through cookies and similar tracking technologies when you access our Website.
Cookies can be ‘strictly necessary’, such as those required to protect our website. We also use ‘non-essential’ cookies
We use Google Analytics cookies to:
- Send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels.
These cookies are non-essential cookies and we rely on consent to collect behavioural data. For more information about our use of cookies, or to change your consent preferences, please see our Cookie Policy: https://www.nogginhq.com/business/cookie-policy
How we use your data
We use Open Banking and statement data to:
-
generate affordability assessments,
-
create financial behaviour indicators,
-
generate credit and risk scores,
-
support lending and responsible affordability decisions,
-
help detect fraud or financial crime,
-
verify income and expenditure information.
Our assessments may be used by lenders and other authorised organisations when deciding whether to:
-
offer credit,
-
set credit limits,
-
assess affordability,
-
or manage existing customer relationships.
Lawful Bases for Processing
| How we may use your information | Lawful basis for processing |
|---|---|
To verify your identity and serve you: We process contact, identity, matching and profile data (such as your name, date of birth, email address, postal address, previous names, address history, identity documents, and your username and password where you hold an NHQ account) to:
| To comply with a legal obligation: UK/EU anti-money laundering laws, Financial Conduct Authority rules and HMRC requirements oblige us to verify identities and take steps to prevent fraud and financial crime. To perform our contractual obligations: Where we provide a direct service to you, we process your data as necessary to perform our contract with you. Consent: Where required for particular identity checks or the processing of sensitive data. Legitimate interest: We have a legitimate interest in operating Noggin’s services, maintaining accurate records and preventing fraud or misuse. |
To assess credit risk and support lending decisions: We process application and product data (such as product type, loan size, application details and model version) to:
| To comply with a legal obligation: We are required to maintain records of credit assessments and to support statutory credit reporting. To perform our contractual obligations: Where the processing is needed to provide a service requested by you or the contracting party e.g. a Lender. Legitimate interest: We have a legitimate interest in operating our credit risk-scoring and analytics services, supporting responsible risk assessment on behalf of lenders, and maintaining accurate decision records. These interests are central to Noggin’s business. |
To analyse financial behaviour and generate risk assessments: We process account and transaction data (such as account reference, institution name, names on account, account type, account subtype, current balance, transaction date, description and amount) to:
| To comply with a legal obligation: Where required to support statutory credit reporting or fraud prevention. Consent: Where account information is made available via Open Banking, we rely on your consent as our lawful basis. Legitimate interest: We have a legitimate interest in accurately assessing creditworthiness and identifying financial behaviour patterns relevant to responsible lending decisions. |
To monitor account performance and validate our models: We process repayment and performance data (such as account type, start date, close date, monthly payment, repayment period, current balance, account status codes, credit or overdraft limits, credit turnover, default information and related reporting fields) to:
| To comply with a legal obligation: We are required to maintain accurate records and support statutory credit reporting. Legitimate interest: We have a legitimate interest in validating and improving our credit scoring models to ensure they remain accurate, fair and effective. Performance monitoring helps to identify early signs of financial difficulty or fraud. |
To respond to your requests and provide support: We process communications, statutory credit report, subject access request and support data (such as the content of your messages, your request details, declarations and supporting identity documents) to:
| To comply with a legal obligation: We are legally required to respond to statutory credit report requests, subject access requests and regulatory enquiries within prescribed timeframes. To perform our contractual obligations: Where we need to respond to a service request you make. Legitimate interest: We have a legitimate interest in communicating effectively, handling complaints efficiently and maintaining records for regulatory and analytical purposes. |
To operate, secure and improve our Website: We process technical, device and usage data (such as your IP address, browser and device information, cookie preferences, operating system, page response times, download errors, the websites you visited before coming to our Website and other browsing information) and profile data (such as your interests, preferences, feedback and survey responses) to:
| Legitimate interest: We have a legitimate interest in ensuring our Website operates securely and efficiently, understanding user interactions, and making improvements. Consent: Where cookies or similar tracking technologies require your consent under applicable law, we will obtain it before placing them on your device. You may amend your cookie preferences at any time; please see our Cookie Policy. |
To market our services and deliver advertising: We may process your personal data to:
| Consent: Where we send marketing communications or deliver tailored advertising using cookies or similar technologies, we do so with your consent. You can opt out at any time by clicking on unsubscribe links in any marketing email or by contacting us. You may amend your cookie preferences at any time; please see our Cookie Policy. Legitimate interest: We have a legitimate interest in promoting our services to individuals who may benefit from them. Where we rely on legitimate interest for marketing purposes, you have the right to object at any time, and we will promptly cease such processing. |
To protect our business and comply with legal and regulatory obligations: We may process your personal data to:
| To comply with a legal obligation: We are subject to legal and regulatory obligations relating to fraud prevention, statutory credit reporting, accounting and financial reporting. Legitimate interest: We have a legitimate interest in protecting our business and by sharing data in connection with corporate transactions, provided appropriate safeguards are in place. To establish, exercise or defend legal claims: We may process your personal data to establish, exercise or defend legal claims. |
In relation to the proposed or actual sale, restructuring or merging of any or all parts of our business: We may process your personal data in order to:
| To comply with a legal obligation: We are subject to legal disclosure requirements when engaging in processes to sell our business or buy other businesses. Legitimate interest: We have a legitimate interest in being able to sell, transfer or restructure our business. |
Who we share personal data with
We may share personal data with the categories of recipients described below, where this is necessary for the purposes set out in this Privacy Policy. Some of these recipients act as processors on our behalf, while others act as controllers for their own purposes.
Lenders and Financial Institutions
This includes the lender or prospective lender involved in your application or account, our Product Partners, banks or account providers, and payment or verification partners.
Product Partners
This includes partners who use our transaction categorisation and enrichment service to provide you with their products or services.
Service Providers
We may share personal data with service providers that help us operate our business, including third-party providers such as cloud hosting providers, analytics providers, communications providers, customer support providers, identity verification providers, fraud screening providers, document management providers and professional advisers (such as accountants and lawyers). Access by service providers with respect to Open Banking will be limited to what is reasonably necessary for them to perform their function, and we require them to protect the confidentiality and security of the data they process for us.
Regulators or Government Authorities
We may share personal data with regulators, courts, tribunals, government bodies, law enforcement agencies and other public authorities where this is required by law, required for regulatory reporting, or necessary to protect rights, safety or the integrity of our systems and services. For example, the Financial Conduct Authority or Financial Ombudsman Service.
Investors and Interested Parties
We may also share personal data with actual or potential acquirors, investors, insurers, funders, advisers or other interested parties in connection with a merger, acquisition, financing, restructuring or sale of all or part of our business or assets, or that succeeds us in carrying on all or part of our business, provided appropriate safeguards are in place.
Fraud prevention
Where necessary, we may share personal data with fraud prevention agencies, law enforcement agencies and other organisations involved in preventing, detecting and investigating fraud, money laundering and other crime.
We do not share traditional credit file information because we do not maintain traditional consumer credit files.
Automated Decision Making and Profiling
We use automated systems and profiling techniques to analyse transaction data and generate risk related insights and scores.
These assessments may contribute to decisions that affect you financially.
You have rights under UK GDPR relating to:
-
automated decision making,
-
correction of inaccurate data,
-
and objection to certain processing activities.
You may request human review of a decision made solely by automated means where applicable.
8. International transfers
Noggin is a UK-based company and we expect the majority of our processing to take place in the UK. However, we may transfer data to vendors, service providers and other recipients located outside the UK, where personal data protection laws may be less strict than in the UK.
Where we transfer personal data to recipients outside the UK, we will take appropriate precautions to protect your data and ensure that any transfers comply with UK Data Protection Legislation. This may include the use of UK IDTA, SCCs or alternative safeguarding measures.
Keeping Data Secure
Noggin is committed to keeping your data secure. We take appropriate technical and organisational measures to protect your personal data, such as encrypting data, use of MFAs, and Role-Based Access Controls. We continually monitor and review our security controls.
How long we keep your data
We retain personal data for as long as is necessary to fulfill the purposes described in this Privacy Policy, and as permitted or required by applicable law. This may be up to 6 years, in order to comply with HMRC rules or to comply with legal and regulatory requirements.
Anonymised and aggregated data
We may use anonymised and aggregated data, which does not directly or indirectly reveal your identity, to conduct research and analysis, produce statistical reports, and generally improve our services. We will not use anonymised or aggregated data in a manner that could reasonably permit the re-identification of any individual.
Statutory credit reports
A statutory credit report is a report prepared by Noggin, acting as a Credit Reference Agency, containing information relating to the creditworthiness, credit history or financial standing of an individual or entity.
You may request a copy of your statutory credit report free of charge. We will usually require identity verification in order to provide this, in order to safeguard your data.
Your rights
Subject to applicable law, and in relation to the personal data we hold about you, your rights include:
-
Access and information: You may request access to your personal data and information about how we use it.
-
Rectification: You may ask us to correct inaccurate or incomplete personal data.
-
Erasure: In certain circumstances, you may ask us to erase your personal data, where we do not have a legitimate reason to retain this.
-
Restriction: You may ask us to restrict how we use your personal data.
-
Objection: You may object to processing based on legitimate interests.
-
Portability: You may receive certain personal data in a structured, commonly used and machine-readable format.
-
Withdrawal of consent: Where we rely on your consent, you may withdraw it at any time, though this will not affect the lawfulness of prior processing.
-
Automated Decision Making: You have the right to object to any automated decision making
These rights are not absolute. We may refuse or limit your request if we have a lawful basis to do so, such as: where we need to comply with applicable law, protect the rights of others, preserve legal privilege, prevent fraud, or establish, exercise or defend legal claims.
To exercise any of these rights, please contact us at: support@nogginhq.co.uk or write to Noggin HQ Limited, Toffee Factory Lower Steenbergs Yard, Walker Road, Newcastle Upon Tyne, England, NE1 2DF. We may request information to verify your identity before acting on your request. We will respond in writing within 1 month of receipt of identity verification documents, though in exceptional cases we may extend this by up to 2 further months, with reasons. We may also need to request further information to trace any personal data we hold about you.
We do not usually charge for this, however, in cases where the request is excessive or repetitive we may charge a fee.
Open Banking Data
You may withdraw consent to sharing your Open Banking data with us at any time via your NHQ account.
Complaints
If you wish to raise a complaint regarding the way Noggin handles your personal data, marketing or responses to rights requests, please contact us at: support@nogginhq.co.uk or write to Noggin HQ Limited, Toffee Factory Lower Steenbergs Yard, Walker Road, Newcastle Upon Tyne, England, NE1 2DF.
We will acknowledge receipt of your complaint without undue delay, and usually within 5 working days. Your complaint will be reviewed impartially and you will receive a response, advising of the outcome of your complaint and any reason behind the outcome.
You also have the right to lodge a complaint with the Information Commissioner’s Office if you are unhappy with the outcome of your complaint or believe that your personal data has been handled in a way that does not comply with data protection law: www.ico.org.uk
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Please refer to this Privacy Policy on an ongoing basis so you understand our current privacy practices.