WE ARE COMMITTED TO PROTECTING
AND RESPECTING YOUR PRIVACY
Genistar is the organisation responsible for deciding how your personal data is used. This means we are the data controller of your personal data.
We will process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the Data Use and Access Act 2025 (DUA Act) and other associated legislation.
The Genistar companies covered by this Privacy Notice are:
Genistar Limited, company number 6315485, authorised and regulated by the Financial Conduct Authority (FCA), registration number 472050.
Genistar Mortgages Limited, company number 08430007.
Genistar Affiliates Limited, company number 08212045.
The registered address for each company is: Victoria House, Harestone Valley Road, Caterham, Surrey, CR3 6HY
Data Protection Officer (DPO): We have appointed Data Guard as our Data Protection Officer.
Contact: DataCo International UK Limited
Registered Address: Suite 1, 7th Floor | 50 Broadway | London SW1H 0BL
Email: privacy@dataguard.co.uk
Tel: 020 3318 17 18
We need to think about the three companies you mentioned. I recommend that we make this one Notice applicable to all, We should therefore call out the group in this intro.
We only use your personal data where we have a lawful basis under data protection law. This means we process your personal data for one or more of the following reasons:
Contract
We process your personal data to take steps at your request before entering into an insurance contract and, once agreed, to perform that contract. For example, we need to use your personal data to provide advice, prepare recommendations, and arrange the insurance products you ask us for.
Legal and regulatory obligations
We process your personal data where it is necessary to meet our legal or regulatory duties. This may include our responsibilities to the Financial Conduct Authority (FCA), compliance with anti-money laundering requirements, or responding to requests from regulators and authorities.
Legitimate interests
We may process your personal data where it is necessary for our legitimate business interests and your rights and freedoms are not overridden. Examples include:
• responding to requests from insurers, mortgage lenders, or our Compliance Service Provider about services we have provided;
• contacting you to request feedback on the service you received;
• training, monitoring, and improving the quality of our services.
We will ask for your consent before using your personal data for certain purposes, such as sending you marketing communications. You can withdraw your consent at any time.
Special category data
Where we process special category data (such as health information), we only do so where it is necessary and permitted by law — for example, where processing is necessary for insurance purposes in line with Article 9(2)(g) UK GDPR and Schedule 1 of the Data Protection Act 2018.
We collect personal data about you in the following ways:
• Directly from you – when you meet with us, speak to us on the phone, complete forms, send us emails or letters, or otherwise provide information in connection with the advice we give you and services we provide.
• From third parties – such as insurers, mortgage lenders, credit reference agencies, regulators, or official publicly available sources (such as the Electoral Register or Companies House) where this is needed to provide our services or meet our legal and regulatory duties.
• From our website and digital services – for example, when you complete online forms or interact with our website. If cookies or similar technologies are used, you will find more information in our Cookie Notice.
Where the personal data relates to dependents or family members (including children), we will only collect and use this information where it is necessary for the insurance products or services you request and in line with data protection law.
When you share personal data with us, or when we receive it from third parties on your behalf, we record it in our systems and use it in line with the lawful bases explained in this Privacy Notice.
Your personal data will only be used for the purposes for which it was collected, such as providing advice, arranging insurance products, and meeting our legal and regulatory obligations. Access is restricted to authorised staff and service providers who need it to carry out these purposes.
We do not use your personal data for unrelated purposes unless the law allows us to do so. If we need to use your personal data for a new purpose, we will explain this to you, explain the lawful basis and if required we will ask for your consent.
We share your personal data with third parties only where this is necessary and lawful. These may include:
Insurance providers and mortgage lenders – to arrange the products and services you request.
Compliance service providers and regulators (including the Financial Conduct Authority) – to meet our regulatory and legal obligations.
Professional advisers – such as auditors, lawyers, or accountants, where needed to support our business and compliance.
IT and support service providers – who help us operate our systems and services securely.
These organisations may act as independent data controllers (for example, insurers) or as our data processors (for example, IT service providers acting on our instructions).
If we need to transfer your personal data outside the UK, we will make sure it is protected. This may include:
· Transferring to countries that the UK has recognised as providing an adequate level of data protection, or
· Using appropriate safeguards such as approved standard contractual clauses with a UK addendum or other legal mechanisms.
Referral Leads
If you agree, our representatives may collect your details so that we can introduce you to Utility Warehouse. With your consent, we will share your name and contact details with Utility Warehouse so that they can contact you directly about their products and services.
When we share your details with UW, they act as an independent data controller. This means Utility Warehouse is responsible for how it uses your personal data once it has received it, and you should refer to the Utility Warehouse Privacy Notice for information about how they process your data and your rights.
We take the security of your personal data seriously. We protect it using appropriate technical and organisational measures, including secure systems, restricted access, staff training, and physical safeguards. Only authorised staff and service providers who need access for legitimate purposes are allowed to handle your data.
We are responsible for protecting your personal data once we receive it. To help keep your information safe during transfer, we recommend that you take reasonable precautions, for example, avoiding the use of unprotected email for sensitive documents, password-protecting or encrypting attachments where possible, and using secure methods of postage if you need to send us original documents.
We normally keep your personal data for six years after our relationship with you ends, in line with our legal and regulatory obligations. In some cases, we may need to keep it longer, for example, to comply with financial regulations, resolve complaints, or meet other legal duties. Once this period has passed, your personal data will be securely deleted or anonymised.
Where personal data relates to children or to special category data (such as health information), we review retention periods to ensure this information is not kept for longer than necessary.
You have a number of rights under data protection law in relation to the personal data we hold about you. These include the right to:
Access: to request a copy of your personal data and an explanation of how we use it.
Rectification: to ask us to correct inaccurate or incomplete personal data.
Erasure: to ask us to delete your personal data, where we have no lawful reason to keep it.
Restriction: to ask us to stop using your personal data in certain circumstances.
Portability: to request that we provide your personal data to you, or to another service provider, in a commonly used electronic format.
Objection: to object to the use of your personal data where we rely on legitimate interests as our lawful basis.
Withdraw consent: where we rely on your consent, you can withdraw it at any time.
Please note that not all of these rights are absolute rights. For example, we may not be able to delete information that we are required to keep for legal or regulatory reasons.
We will respond to any rights request without undue delay and in any case within one month of receiving it. If we are unable to act on your request, we will explain the reasons why.
If you would like to exercise any of these rights, please contact us using the details in the “How to contact us” section.
You also have the right to raise a concern with the Information Commissioner’s Office (ICO), the UK regulator for data protection, via https://ico.org.uk/
If you have any questions about this Privacy Notice, or if you would like to exercise any of your data protection rights, you can contact us at:
Data.Protection@genistar.net
Genistar Limited Victoria House, Harestone Valley Road
Caterham, CR3 6HY
You should also make contact with us as soon as possible on you becoming aware of any unauthorised disclosure of Your Personal Data, so that we may investigate and fulfil our own regulatory obligations.
If you have any concerns or complaints as to how we have handled Your Personal Data, you may lodge a complaint with the UK’s data protection regulator, the Information Commissioners Office (ICO), who can be contacted through their website at https://ico.org.uk/make-a-complaint/ or by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF