Privacy Policy

This privacy notice is to let you know how companies within the heylo housing group will look after your personal information. “your information” or "your personal information" means any information we hold about you, both online and offline which you or third parties provide to us which is required in order to provide our services to you. This includes what you tell us about yourself or a joint application when you contact us, via our website, phone, email or otherwise and also, what we learn by having you as a customer, and the choices you indicate about your marketing and contact preferences.

 Who We Are

The heylo housing group is made up of several different legal entities. We will tell you which one you will have a relationship with when we enter into contracts with you or you receive a service from us. That entity will be the relevant "data controller" under data protection law of any personal information relating to you or a joint applicant unless otherwise stated.

You can find out more about us at

If you have any questions, or want more details about how we use your personal information, then please email Paul Barks, DPO at

This privacy notice explains our approach to data protection. In this privacy notice, “we”, “us”, “our” and “heylo housing group” means any of the heylo housing group entities (including Heylo Housing Group Limited, HH No.1 Limited, HH No.2 Limited, Heylo Housing Registered Provider Limited, Heylo Housing Secured Bond plc, HH No.3 Limited, HH No.5 Limited, HH No.6 Limited and ResiManagement Limited).

 How the Law Protects You

Your privacy is protected by law. The UK Data Protection law says laws, such as the Data Protection Act 2018 and the UK GDPR, say that we are allowed to use personal information only if we have a fair and lawful reason to do so and we comply with a number of rules, principles and individual rights. This includes when using the personal information internally for our own purposes or sharing it outside the heylo housing group (more on this below).

The law says we must have one or more reasons. There are various grounds and exemptions such as:

  • To fulfil a contract we have with you or to take steps in preparation of entering such a contract, or

  • When it is our legal or regulatory duty, or

  • When it is in our legitimate interest, or

  • When you consent to it.

A legitimate interest includes when we or a third party have a business, commercial or similar bona fide and proper reason to use your information so long as this is not overridden by your own rights and interests or would not be reasonably be expected given our relationship. If we rely on our legitimate interest, we conduct a balance test of our respective rights to ensure there are no surprises or unexpected uses of personal information and we will tell you what that interest is.

What we use your personal information forOur reasonsOur legitimate interests
Provide home ownership products.Our legitimate interests Fulfilling contractsBeing efficient about how we fulfil our contractual obligations. Complying with regulations that apply to us.
Make housing assessments and allocations.Our legitimate interests Fulfilling contractsBeing efficient about how we fulfil our contractual obligations. Complying with regulations that apply to us.
Manage leases including collecting rent, service charges and other changes such as Ground Rent.Our legitimate interests Fulfilling contractsBeing efficient about how we fulfil our contractual obligations. Complying with regulations that apply to us.
Provide any relevant repairs and maintenance services.Our legitimate interests Fulfilling contractsBeing efficient about how we fulfil our contractual obligations. Complying with regulations that apply to us.
Keep in touch with our customers, understand your needs and preferences and invite you to events.Our legitimate interests Your consentBeing efficient about how we fulfil our contractual obligations. Seeking your consent when we need it to contact you.
Prevent and detect fraud and money laundering.Our legitimate interests Fulfilling contracts Our legal dutyDeveloping and improving how we deal with financial crime, as well as doing our legal duties in this respect
To obey laws and regulations that apply to usOur legal dutyBeing efficient about how we fulfil our legal and contractual duties.
Promote safety and the quiet enjoyment of the home, neighbourhood and community.Our legitimate interests Fulfilling contractsBeing efficient about how we fulfil our contractual obligations. Complying with regulations that apply to us.
Engage with customers and make improvements to our products and services.Our legitimate interests Your consentBeing efficient about how we fulfil our contractual obligations. Seeking your consent when we need it to contact you.
Promote equal opportunities and fair treatment for all our customers.Our legal duty Our legitimate interests
Provide information (e.g. about products and services) you request from us.Our legitimate interests Your consentBeing efficient about how we fulfil our contractual obligations. Seeking your consent when we need it to contact you.
Develop new products and services.
Meet our legal obligations, including those owed to our funders or regulators.Our legitimate interestsComplying with regulations that apply to us.

Personal Information We Collect

We collect various types of information about you as follows:

Contact Information

Your name, phone numbers that you can be contacted on, your email address, current residential address and any previous residential address in the last 3 years and how to contact you.

Financial Information

Your financial position, status and history including details of your credit record.

Identity Information

Details about you are stored in documents in different formats, or copies of them. This could include things like your passport, your driver’s licence, your birth certificate, details about your nationality, details on your rights of residency in the United Kingdom, details obtained from national and international databases of sanctioned persons, your date of birth, your utility bills or banking statements or other documents that you provide to us to verify your identity.

Banking Information

Your bank account details (bank account number, sort code, name and address).

Mortgage Information

Details about your current or expected mortgage. This could include information on your mortgage provider, the amount of your mortgage, your mortgage broker, the address of the property subject to a mortgage and any account numbers.

Contractual Information

Details about any products or services we provide to you.

Transactional Information

Details about payment to and from you in relation to any relationship or contract you have with us

Communication Information

Any information we have that we have obtained about you from letters, emails and conversations between us.

Consent Information

Any permissions, consents or preferences that you give us. This includes how you want to be contacted and whether you want to be included in marketing information that we may send to you.

Employment Information

Details of your employment status including whether you are employed or self-employed and details of your employer.

Product Information

Details of any of our housing products you may be interested in, including where you may want to live, when you would like to move home and the types of homes you may want to move to.

Property Information

Details of any previous properties occupied by you, details of any previous or current landlords.

How We Collect Personal Information

We may collect information about you from various sources including other companies in the heylo housing group, third party organisations, such as credit reference agencies as well as directly from you in a variety of ways including:

  • When you apply for our products and complete forms and contracts

  • When you talk to us on the phone

  • When you use our website

  • In emails and letters, either from you or from third parties –for example, if you write to us or if someone else writes to us on your behalf or in relation to your occupation of a property

  • In customer surveys

  • Payment data (i.e. when you make payments to us)

Data from third parties we work with including:

  • Companies that introduce you to us

  • Financial advisers

  • Credit reference agencies

  • Fraud prevention agencies

  •  Agents or agencies or contractors working on our behalf such as contractors appointed to provide management services in respect of properties that we own

  • Government and organisations performing services on behalf of Government such as Homes England and Regulator for Social Housing

Accuracy and keeping us updated

It is important that you notify us of any changes to your personal information as soon as possible so that we can contact you easily. You should also notify us if any of the information we hold is inaccurate. Please let us know by contacting us at or write to Paul Barks, DPO , at heylo housing, Level 6, Design Centre East, Chelsea Harbour, London, SW10 0XF. If you do, we will take reasonable steps to check its accuracy and correct it.

Who We Share Your Personal Information With

We may share your personal information with the following recipients including companies within the heylo housing group and the following third party organisations:

  • Agents, contractors and advisers who we use to help run our relationship with you and collect what you owe and identify any changes that we can make to how we run our business

  • HM Revenue & Customs, regulators and other authorities

  • Utility suppliers

  • Credit reference agencies

  • Fraud prevention agencies

  • Any party linked with you as a result of you entering into joint applications or due to the fact that you have a credit history associated with a particular party

  • Companies we have a joint venture or agreement to co-operate with

  • Housebuilders

  • Organisations that introduce you to us

  • Companies that we introduce you to

  • Market researchers

  • Independent Financial Advisors

  • Companies you ask us to share your data with

  • Parties and partners involved in any conveyance or letting process

  • Shareholders

  • Auditors

  • Police or courts

  • Banks

  • Government or law enforcement agencies

  • Providers of transaction platforms or similar IT systems

  • Professional advisors, including heylo housing group's, those of key parties such as lenders or potential purchasers of the business.

We may also share your personal information if:

  • We are required to do so by law

  • In connection with legal proceedings or potential legal proceedings

  • If required to do so by any court, or any regulatory, compliance, governmental or law enforcement agency

We may also share your personal information if the make-up of the heylo housing group changes in the future:

  • We may choose to restructure, generate investment, sell, transfer, or merge parts of our business, or our assets. Or we may seek to acquire other businesses or merge with them.

  • During any such corporate or investment process, we may share your data with other transaction parties. We’ll only do this if the proposed data sharing is necessary and they agree to keep your data safe and private in accordance with the law.

  • If the change to us happens, then other parties may use your data in the same way as set out in this notice.


How We Use Your Information to Make Automated Decisions

We sometimes use systems to make automated decisions based on personal information we have – or are allowed to collect from others – about you. This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know. These automated decisions can affect the products, services or features we may be able to offer you now or in the future, or the price that we charge you for them. If you would like more information about how automated decisions work, you can contact us using the contact details provided below.

Here are the types of automated decision we make:

Entering into contracts

When you apply to enter into contracts with us, we check that the product or service is relevant for you, based on what we know.

We also check that you meet the conditions needed to enter into the contract. This may include checking necessary information such as age, residency, nationality or financial position.

Your rights in respect of Automated Decisions

As a person you have rights over automated decisions.

  • You can ask that we do not make our decision based on the automated score alone.

  • You can object to an automated decision, and ask that a person reviews it.

  • If you want to know more about these rights, please contact us using the contact details provided below.


Data minimization and retention

We will only ask for the information needed for the legitimate purposes we are collecting it. Where the information is mandatory we will confirm this. 

We will only keep personal information for the minimum periods of time that are necessary. Your personal information is retained by us in accordance with applicable law. Our data retention periods vary depending on the nature and context of the personal information that we control and are designed taking into account various factors including:

  • How long we need to keep the data to fulfil the original purpose for which it was collected

  • Potential claims or litigation

  • Guidance from official bodies such as regulators

  • The nature and sensitivity of personal information

  • Legal obligations to which we are subject.

In essence, we delete, anonymise or otherwise put beyond use personal information when: the purpose for its processing has been fulfilled or the contractual relationship with you has ended; all mutual claims have been fulfilled; and there are no other legal obligations to retain the personal information nor legal bases for further processing. We securely dispose of or anonymise personal information when it is no longer needed. Where we have anonymised your personal data, we will still hold the data but in such a form that it cannot be used to identify you as data subject.


Security practices and measures

Please note any information that is transmitted over the internet is not always 100% secure. Any personal information we control will always be processed in accordance with applicable data security and confidentiality laws. We only make disclosures where necessary. 

We are committed to safeguarding the privacy of all your information, to ensure it is secure and treated with confidence. We maintain appropriate technical, contractual and organisational measures to prevent personal information being subject to a security breach incident, such as data loss, destruction or unauthorised transfers or access. Our security practices and measures are designed taking into account various factors including the current technology and costs, as well as the risks to your privacy rights.

Credit reference agencies

We carry out credit and identity checks when you apply for a product or services for you. We may use Credit Reference Agencies (“CRAs”) to help us with this.

If you use our services or enter into contracts with us, from time to time we may also search information that the CRAs have, to help us manage our relationship with you. 

You must make sure any joint applicants and associated partners are aware of the checks being undertaken prior to submitting an application. You must not submit personal information or an application relating to a third party without providing this Privacy Notice to them and ensuring they are happy to proceed.

We will share your personal information with CRAs and they will give us information about you and the joint applicant. The data we exchange can include:

  • Name, address and date of birth

  • Credit application

  • Details of any shared credit

  • Financial situation and history

  • Public information, from sources such as the electoral register and Companies House.

We’ll use this data to:

  • Make sure what you’ve told us is true and correct

  • Assess credit risk and any individuals propensity to make repayments in connection with the proposed property transaction 

  • Help detect and prevent financial crime

  • Manage your contractual relationship with us

  • Trace and recover debts

These searches and checks are conducted in our legitimate commercial interests to ensure you can keep up with your contractual and financial commitment to us and to avoid potential fraud or wider costs of contractual terms being breached between us.

If the time lapsed from initial credit search to exchange of contracts is longer than 3-months then we may run further full credit searches after this time.

If you stop making rental payments to us or otherwise default on payments due to us, we will report this to CRAs. This may negatively affect your credit score and limit your ability to obtain credit in the future.

We will go on sharing your personal information with CRAs for as long as you are a customer. This will include details about your settled amounts that were due to us and any amounts not fully paid on time. The CRAs may give this information to other organisations that want to check credit status. We will also tell the CRAs when you and any joint applicants settle your outstanding contractual obligations with us.

When we ask CRAs about you and joint applicants, they will note it on your credit file. This is called a credit search. Other organisations (including lenders or providers of goods or services) will see this credit search or previous footprint on any report prepared for their own purposes and prospective relationship with you.

If you apply for a product with someone else, we and the CRAs will link your records with theirs. We will do the same if you tell us you have a spouse, partner or civil partner. These linked records are called associated records. Enquiries made with CRAs may be answered from both your record and any associated records. Two people’s records will be associated when they make a joint application, you tell us about a financial association or the CRA has associated records.

You should tell associated individuals about this before you apply for a product or service. It is important that they know your records will be linked together, and that credit searches may be made on them.

CRAs will also link your records together. These links will stay on your files unless one of you asks the CRAs to break the link. You will normally need to give proof that you no longer have a financial link with each other to successfully disassociate or break the linked record.

You can find out more about any associated records and the CRAs on their websites, in the Credit Reference Agency Information Notice or ("CRAIN"). This includes details about:

  • Who they are

  • Their role as fraud prevention agencies

  • The data they hold and how they use it

  • How they share personal information

  • How long they can keep data

  • Your data protection rights.

The CRAIN describe how agencies in the UK use and share personal data – and details of their wider practices and use of data in accordance with data protection legislation. The respective CRAIN documents are also available on the CRAs' websites. Here are links to the CRAINs and wider privacy information notices for each of the three Credit Reference Agencies we may share your personal information with for the purposes set out above:

Fraud Prevention Agencies (FPAS)

We may need to confirm your identity before we provide products or services to you. Once you have become a customer of ours, we will also share your personal information as needed to help detect fraud and money-laundering risks. We use FPAs to help us with this.

We and FPAs may also share your personal information with law-enforcement agencies to detect, investigate and prevent crime. If fraud is detected, you could be refused certain services or finance.


Data Transfers out of the UK/EEA (BY FPAS)

FPAs may send personal information to countries outside the United Kingdom ('UK') and/or the European Economic Area (‘EEA’). Different countries have different data protection and security laws and some of these do not offer the same level of protection as you enjoy under UK data protection legislation, so when they do, there will be a contract in place to make sure the recipient protects the data to the same standard as the UK and/or EEA if required by law. This may include following international frameworks for making data sharing secure or as otherwise permitted under data protection legislation.

Sending Data outside of the UK/EEA

From time to time and for operational reasons the personal information we collect from you may be transferred to and stored in countries outside of the UK and/or EEA.

Your information may also be processed by some of our service providers which operate outside the UK or EEA. Different countries have different data protection and security laws and some of these do not offer the same level of protection as you enjoy under UK data protection legislation.

However, when we appoint our service providers to help us provide products and services to you (which may include some based in the USA), we take care to ensure that they have appropriate security measures in place.

In limited circumstances, international data transfers may be permitted under data protection legislation. Where required, or where the transfer is undertaken in the course of regular business operations to IT or similar service providers, we or the sub-contractor or system or platform provider will put in place standard or model contractual clauses for those services.

The model data transfer clauses are approved by regulatory and/or government authorities as a lawful safeguard to share data outside the UK and EEA.

Please contact us if you would like more information on the model clauses, which can also be accessed from the Information Commissioner's Office and European Commission websites.

If You Choose Not to Give Personal Information

We may need to collect personal information by law, or under the terms of a contract we have with you.

If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts or policies. It could mean that we cancel a product, contract or service you have with us.

Any data collection that is optional would be made clear at the point of collection.


We do not sell or rent any of your personal information. We may use your personal information to tell you about our own relevant products and offers. The personal information we hold for you is made up of what you tell us and data we collect when you use our services or website or from the third parties we work with.

We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

We can only use your personal information to send you marketing messages if we have either your consent or a ‘legitimate interest’. That is when we have a business or commercial reason to use your information.

You can ask us to stop sending you marketing messages or processing for wider marketing purposes by contacting us at any time. We will record your latest indications and marketing preferences on our marketing suppression lists without undue delay.

Whatever you choose, you'll still receive important information and communications from us such as changes to your existing contracts, legally required communications or regards changes to our services.

We may ask you by an appropriate contact method, to confirm or update your choices, where you take out any new products, contracts or services with us in future. We may also ask you to do this if there are changes in the law, regulation, or the structure of our business.

If you change your mind you can update your choices at any time by contacting us.


Your Rights and Contacting Us

You have certain rights under data protection legislation, including a right to access and request a copy of the personal information we hold or control on you, if you request it in writing or orally. You also have the following rights in respect of your personal information:

• Right to correct: the right to have your personal information rectified, clarified or amended if it is inaccurate or incomplete or otherwise not up to date.
• Right to erase: the right to request that we delete or remove your personal information from our systems.
• Right to restrict or suppress our use of your information: the right to 'block' us from using your personal information or limit the way in which we can use it in circumstances where for example, your information is inaccurate, the processing is unlawful or we no longer require the information.
• Right to data portability: the right to request that we move, copy or transfer your personal information to another provider, if the basis for collecting and processing was consent or a contract.
• Right to object: the right to object to our use of your personal information including where we use it for our legitimate interests, or where we use your personal information to carry out profiling to inform our market research and development of our business.
• Right to withdraw: where we ask you for consent, you have an absolute right to withdraw consent.

Please note the above rights do not apply to general business information but only personal information.

If you are exercise your rights in writing or orally (using the contact details below), you may be asked to verify your identity before a request can be processed if we have reasonable concerns and verification is necessary, for example to avoid a personal information security or confidentiality breach.

The information will be provided in response to your requests without undue delay and within one month of the receipt of the request. However, if the request is complex or there is more than one, we reserve our right to extend this time period by a further two months (so three months in total) if necessary. If we require further time, we will keep let you know and keep you updated.

We also reserve the right to charge a reasonable administrative fee for each further requests of the same personal information or where the requests are excessive or repetitive.

If you raise an objection we will stop processing your personal information unless specific circumstances and overriding reasons apply, in which case we will let you know why we're continuing to process your personal information and why we consider our legitimate interests prevail on balance.


Enquiries and Complaints

We will use reasonable efforts consistent with our legal duty to provide you with your rights in accordance with data protection legislation. There may be legal or other official reasons why we need to keep or use your data. But please tell us if you think that we should not be using it.

To make enquiries, exercise any of your rights set out in this Privacy Policy and/or make a complaint please contact or write to Paul Barks, DPO at heylo housing, Level 6, Design Centre East, Chelsea Harbour, London, SW10 0XF. You can also contact us on 0203 744 0415.

If you're not satisfied with the way any complaint you make in relation to your personal information is handled by us then you may, in addition, be able to refer your complaint to the relevant data protection regulator. In the UK, this is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF. Find out on their website how to report a concern:

Please do feel free to contact us in the first instance.

How to Withdraw Your Consent

You can withdraw any consent you have given us at any time. Please contact us at or write to Paul Barks, DPO at heylo housing, Level 6, Design Centre East, Chelsea Harbour, London, SW10 0XF if you want to do so. You can also contact us on 0203 744 0415. You can also use an unsubscribe links in any email communication or reply STOP to an email for marketing purposes. Once you have opted out of marketing communications, you will be added to a suppression list to ensure you do not receive any future marketing communications from us.

If you withdraw your consent, we may not be able to provide certain products or services to you. Withdrawing your consent does not undermine the lawfulness of our activities before the withdrawal.

You have the right to ask us not to process your personal information if it is causing or likely to cause substantial damage or distress or is to be used for direct marketing. There may also be other specific circumstances where you may wish for us to stop processing your data, such as if you agreed to take part in a survey or signed up to an optional service. However, we need to maintain certain records to enable us to provide you with the services you receive. We will explain our rationale for the approach.

How to Get a Copy of Your Personal Information

  • You can access your personal information. The right to access the information is an individual one. This means that we cannot usually process joint requests – they are to be treated separately for security and confidentiality reasons.

  • You have a right to access personal information we hold about you. The right to access the information is an individual one and we would not want to disclose your personal information to a third party inappropriately. This means that we cannot process joint requests (for example, by two purchasers or tenants of the same property) –our policy is to treat them separately, unless limited circumstances and specific authorities apply in a given case.

You can write to us to make your request and, if necessary, we may ask you for further information to help us locate the information you are requesting. Please write to Paul Barks, DPO at heylo housing, Level 6, Design Centre East, Chelsea Harbour, London, SW10 0XF. You can also contact us on 0203 744 0415.

We will respond to your request within 30 days unless we require an additional two months where a large amount of information is requested, or the request is otherwise complex. We will advise you of any such additional time required within 30 days of receiving your request and together with the reason for this extension.  We may require proof of your identity and address – we will let you know this when we receive your request if we have reasonable concerns.


Cookies technology

Our website may also use cookies and other related technologies (for convenience all technologies are referred to as "cookies") for various functional, operational and analytical purposes. Cookies are also placed by third parties we have engaged. For more information please see our Cookies Policy.



This privacy notice is dated February 2022 and will be updated to reflect changes either to the way in which we operate or changes to data protection legislation. We will bring any significant changes to your attention and we suggest that you revisit this notice from time to time. Changes posted on this page will become effective as soon as they are posted, unless consent is required for the change.

Contacting Us

If you have any data protection queries relating to our use of your personal information or any related data protection queries, please contact: or write to us at: 

Paul Barks, DPO, Level 6, Design Centre East, Chelsea Harbour, London, SW10 0XF

You can also call us on 0203 744 0415.