Privacy Notice

How we process our customers’ personal information
Last Updated: October 2025

Our Privacy Promise

We promise to treat your information fairly, lawfully, and transparently

We taker the security of your personal data seriously and only use it in ways that respect your privacy and comply with the law.

We will never sell your data, and we only share it where necessary and lawful to do so.

  1. Introduction

This Privacy Notice explains how and why ACT Credit Management Ltd (“ACT”, “we”, “us”, “our”) collects, uses, and protects personal data.

We act primarily as a Data Processor on behalf of our clients (the “Data Controller”), who instruct us to provide debt collection services.

In certain circumstances, we also act as a Data Controller in our own right. This includes, but is not limited to, the processing of personal data relating to:

  • Employees, job applicants, contractors and consultants – for HR, payroll, recruitment and compliance purposes.
  • Suppliers and service providers – to manage contracts, payments, and operational relationships.
  • Corporate and compliance functions – finance, governance, audit, training, and record-keeping.

When acting as Data Controller, we determine how and why personal data is processed and ensure that such processing complies with the UK GDPR, the Data Protection Act 2018, and ICO guidance.

  1. Information About Us

ACT Credit Management Ltd

Registered address: Bank House, 7 St. Johns Road, Harrow, HA1 2EE
Company Number: 05073492.
Email: compliance@actcredit.com
Telephone: 0203 1500 150

Our Data Protection Officer can be contacted at the above address or email.

  1. Scope of This Notice?

This Privacy Notice explains:

  • What personal data we collect and where it comes from;
  • How and why we use it;
  • The lawful bases on which we rely;
  • Who we share it with;
  • How long we keep it; and
  • Your rights and how to exercise them.
  1. Your Rights

Under the UK GDPR, you have the following rights:

  • Right to be informed – to know how your data is collected and used.
  • Right of access –  to request a copy of the data we hold about you.
  • Right to rectification – to correct inaccurate or incomplete data.
  • Right to erasure (“to be forgotten”) – to request deletion of your data in certain circumstances.
  • Right to restrict processing – to limit how your data is used.
  • Right to object – to object to specific types of processing.
  • Right to data portability – to request your data be transferred to another controller (where applicable).
  • Rights regarding automated decision-making and profiling. ACT does not use your data for automated decisions or profiling.

We do not carry out any automated decision-making or profiling that has a legal or significant effect on you.

You can exercise your rights at any time by contacting our Data Protection Officer (see Section 15).

You also have the right to complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk

  1. What Personal Data Do We Collect?

We may collect and process:

  • Identification and contact details (name, address, previous addresses, DOB, gender, telephone numbers, email);
  • Employment details and status;
  • Financial and account information (including debts, payments, income and expenditure);
  • Information relevant to an account or debt owed to our client;
  • Correspondence records and call recordings;
  • Information obtained from publicly available sources, such as probate records, to identify or contact executors or other relevant parties;
  • Details of any CCJs, insolvency or bankruptcy;
  • Trace and location information;
  • CCTV images (for office security).

Special Category Data

We may record health or vulnerability information, but only with your explicit consent and only where it helps us engage with you fairly and appropriately.

You can withdraw consent at any time by contacting us (see Section 15).

In some cases, our clients may share special category data that you have previously disclosed to them (for example, information about health or vulnerability) to ensure we treat you appropriately and in line with your circumstances. We only process such information where it is necessary for that purpose and in accordance with data protection law.

Criminal Convictions

We may process minimal conviction data where necessary and lawful.

  1. Sources of Personal Data

We may obtain personal data from a variety of sources, depending on the nature of our relationship with you and the services we are providing. These include:

  • Our clients (the Data Controllers), who instruct us to act on their behalf;
  • You directly, through telephone calls, email, post, SMS, live chat or other correspondence;
  • Third parties authorised to act on your behalf, such as a legal representative, family member, or person holding power of attorney;
  • Third-party tracing agents, used lawfully to confirm or locate current contact detail;
  • High Court Enforcement Officers (HCEOs), solicitors, and legal agents, where we are jointly engaged in the enforcement or recovery of a debt;
  • Suppliers or service providers, who support our business operations and compliance functions;
  • Publicly available sources, such as the electoral register, Companies House, Land Registry, and other official or open databases;
  • Credit reference agencies (Equifax, Experian, TransUnion).

All data obtained from third parties is collected and processed lawfully, fairly, and transparently in accordance with the UK GDPR and ICO guidance.

  1. How We Use Your Personal Data

We use personal data for legitimate business purposes, including:

  • Contacting you regarding an account or debt;
  • Verifying identity and managing correspondence;
  • Arranging, agreeing and monitoring payment plans;
  • Processing payments and managing transactions;
  • Locating individuals where contact has been lost;
  • Providing our client with updates and reports on account activity or recovery progress;
  • Conducting compliance checks, audits and training;
  • Preventing and detecting crime, fraud, or money laundering;
  • Meeting legal, regulatory, and contractual obligations.

Lawful Bases for Processing

We rely on one or more of the following lawful bases under Article 6 UK GDPR:

  • Contractual necessity – to perform our obligations under contracts with clients or suppliers;
  • Legitimate interests – to pursue fair and responsible debt recovery, maintain business operations, and prevent fraud;
  • Legal obligation – to comply with laws and regulations, such as financial, tax, or data protection requirements;
  • Consent – when recording or processing special category (sensitive) data;
  • Vital interests – where processing is necessary to protect life or wellbeing.
  1. Data Sharing

We will only share personal data when it is lawful and necessary to do so.

We may share data with:

  • Clients, to keep account records accurate;
  • High Court Enforcement Officers (HCEOs), solicitors, and legal agents acting on our clients’ behalf;
  • Tracing agents acting under instruction;
  • Service providers (IT, payment, hosting, mailing, security);
  • Professional advisers, auditors, and insurers;
  • Regulators, law enforcement or government bodies, where required by law;
  • Courts in connection with legal proceedings;
  • Sub-contractors and suppliers under strict confidentiality and data-processing agreements.

Whenever data is shared, we apply contractual, technical and organisational safeguards (e.g. encryption, access controls, audits).

If data is transferred outside the UK or EEA, we use ICO-approved Standard Contractual Clauses (SCCs) or other approved safeguards.

  1. Fraud Prevention and Crime Reporting

We have legal obligations to detect and prevent fraud, financial crime, and money laundering.

Where necessary, we may share information with:

  • Cifas, Action Fraud, the National Crime Agency, HMRC, or the Police; and
  • Other authorised bodies for the prevention and detection of crime or to protect the vital interests of individuals.

We will only share data for these purposes when it is lawful and proportionate to do so.

  1. Data Security

We maintain comprehensive technical and organisational measures to protect personal data, including:

  • Access controls and encryption;
  • Regular penetration testing;
  • Secure disposal and retention procedures;
  • Staff training and confidentiality agreements

We are certified to the ISO 27001 Information Security Management Standard, which provides a recognised framework for managing information security risks. We continually review and update our security measures to safeguard your personal data against loss, misuse, or unauthorised access.

  1. How We Use Your Personal Data

We retain personal data only for as long as necessary for the purpose it was collected, or to meet legal and regulatory requirements.

Typically, this means retaining records for up to seven years after the account is closed, in order to:

  • Respond to potential complaints or claims;
  • Demonstrate compliance with legal and contractual obligations; and
  • Maintain accurate business and audit record.
  1. Accessing Your Personal Data

You may request a copy of the personal data we hold about you by contacting us (see Section 15).

We will respond within one month, unless the request is complex, in which case we may extend this period by up to two additional months.

There is no fee for such requests unless they are manifestly unfounded or excessive.

  1. Keeping Data Accurate & Your Preferences

You can update your contact details or communication preferences at any time by contacting us.

We encourage you to keep your information accurate and up to date so that we can engage with you appropriately.

  1. Visitors to Our Office

CCTV is in operation at our premises for security and safety purposes.

Footage is stored securely and automatically overwritten after a short period unless required for investigation.

Visitor sign-in records are kept securely and retained for a limited time.

  1. How to Contact Us or Make a Complaint 

If you would like to exercise any of your data protection rights (for example, to request a copy of your data, correct inaccurate information, or withdraw consent), or if you have any questions about how we handle your personal data, please contact:

Data Protection Officer
ACT Credit Management Ltd
Bank House,7 St. John’s Road, Harrow, HA1 2EE
Email: compliance@actcredit.com

If you are unhappy about how we use your personal data or how we have handled your request, you also have the right to make a complaint to the Information Commissioner’s Office (ICO) at www.ico.org.uk

  1. Updates to This Privacy Notice

We review this Privacy Notice regularly and update it to reflect changes in the law or our practices. The most recent version will always be available on our website.

You can also request a copy by post or email (see Section 15) if you prefer, or if you require it in an alternative format for accessibility reasons.