Name: Bluestone Mortgages Ltd (BML).
Address: Bluestone Mortgages Limited, 40 Leadenhall Street, London, EC3A 2BJ
Phone Number: 0800 368 1834
If you want to receive a copy of the information we hold or exercise any of your information rights as explained in this notice you can submit your request using this link
If you do not wish to use this form, or if you have any concerns or complaints about our use of your information, you can contact us using the details above. If we cannot resolve your enquiry to your satisfaction, you can contact the ICO at www.ico.org.uk or by telephoning 0303 123 1113 if you have a complaint that relates to the way we have handled your personal information.
You can contact our Group Data Protection Officer by email at dataprotectionoffice@shawbrook.co.uk or by writing to them at Shawbrook Bank Limited, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex, CM13 3BE, if you have any questions about this privacy notice.
Bluestone Mortgages Limited (we, us and our) is committed to protecting your privacy.
We have produced this notice to explain to you what personal data we have, how we get it and how and why we use that information.
For the purpose of this notice, where we refer to “you” or “your” this will also include (where the context permits, such as intermediaries/brokers) your principals, directors, shareholders, employees, contractors, and workers (together your “related parties”).
Bluestone Mortgages Limited is a wholly owned subsidiary of Shawbrook Bank Limited, with our own separate legal and regulatory status. We are registered as a data controller with the Information Commissioner’s Office (ICO) under registration number ZA142954 . Shawbrook Group PLC, Shawbrook Bank Limited (SBL) and its wholly owned subsidiaries Bluestone Mortgages Limited (BML), The Mortgage Lender Limited (TML) and JBR Capital (JBR) collectively referred to as ‘Shawbrook’ within this notice, offers products to retail and commercial customers.
Under data protection laws, we are a controller of the personal data that we collect and hold about you. This is because we decide how and why your personal data is used.
If you have made an application on behalf of another individual, a joint application with another individual, or an application on behalf of a business or other organisation and have provided us with information in relation to its directors, shareholders, owners, trustees or beneficiaries (as applicable), then this privacy notice will also apply to them. It is important that they read this notice and we will assume that you have told them that their details will be shared with us and that you have shown them this notice.
Note for Intermediaries
You should not share any related party’s personal data with us except where you have shown them a copy of this privacy notice and obtained their confirmation that they know you will share it with us for the purposes described (and where you have their consents, as relevant, for the processing described).
How to contact us
If you want to receive a copy of the information we hold or exercise any of your information rights as explained in this notice you can submit your request using this If you prefer not to use our online form or have any concerns or complaints about our use of your information, please use the details below or visit the contact us section on our website.
Personal data
You can contact our Group Data Protection Officer by email at dataprotectionoffice@shawbrook.co.uk or by writing to them at Shawbrook Bank Limited, Lutea House, Warley Hill Business Park, The Drive, Great Warley, Brentwood, Essex, CM13 3BE, if you have any questions about this privacy notice.
If we cannot resolve your enquiry to your satisfaction, you can contact the ICO at www.ico.org.uk or by telephoning 0303 123 1113 if you have a complaint that relates to the way we have handled your personal data.
In this notice, we will let you know more about how we use your information including
Your information rights
You have a number of rights which are explained below, if you wish to exercise any of these rights you can do so by using the contact details at the start of this notice. We will explain whether the right applies to you as these rights do not apply in all circumstances. You will not have to pay a fee for exercising your rights. We try to respond within one month however if we think it will take longer than one month we will notify you and keep you updated. We will need to verify your identity before we can act on any request you make to us under this notice.
Right to access
You have the right to access the personal data held about you and to obtain certain prescribed information about how we process it. This is commonly known as submitting a ‘data subject access request’.
Right to rectify your personal data
If you discover that the information we hold about you is inaccurate or incomplete, you have the right to have this information corrected.
Right to erasure
You may ask us to delete information we hold about you in certain circumstances; this is often referred to as the ‘right to be forgotten’. This right is not absolute and only applies in particular circumstances. It may not always be possible for us to delete the information we hold about you, for example, if we have an ongoing relationship with you or we are required to retain information to comply with our legal obligations or to exercise or defend legal claims.
Right to restriction of processing
In some cases, you may have the right to have the processing of your personal data restricted. For example, where you contest the accuracy of your personal data, it may be restricted until the accuracy is verified, or where the processing is unlawful but you object to it being deleted and request that it is restricted instead.
Right to object to processing
You may object to the processing of your personal data (including profiling) when it is based upon our legitimate interests or for the purposes of statistical analysis.
Right to object to direct marketing
You may also object to the processing of your personal data for the purposes of direct marketing and you can do this at any time.
Our direct marketing activities are limited to intermediaries only.
Right to data portability
You have the right to receive, move, copy or transfer your personal data to a controller which is also known as ‘data portability’. This only applies to information you have given us and if we are processing your personal data based on consent or contract and the processing is automated.
The following list describes the different types of information we process about you. We explain why we process this information later in this notice:
The table below sets out the main ways we process your information, including for our legitimate interests. Processing necessary for the purposes of our legitimate interests, or those of a third party, is a type of lawful basis which applies to much of our processing. When we process your personal data for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you choose not to provide it, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.
If you have any concerns about the processing below, you have the right to object to processing that is based on our legitimate interests. For more information on your rights, please see “Your Rights” section.
Reason for processing | Processing is necessary for: |
Considering and processing your application
We need to process your personal data in order to decide whether we can offer you the product you have applied for and to evaluate any security and/or guarantee arrangements relating to a product. |
A contract we have with you, or because you have asked us to take specific steps before entering into a contract |
Where you have agreed for us to be able to review your transaction data we will use this data to assess creditworthiness and affordability. | Our legitimate interests |
Performing credit searches and verifying your identity
We need to carry out credit searches and verify your identity before we can offer you a product or service. We also verify your identity as a donor or lender of deposit monies or as occupier of any security property to ensure that there is no conflict in respect of parties’ rights over the relevant security property. |
Our legal or regulatory obligations |
We also need to do this to ensure that we are acting as a responsible lender, including with regards to fraud prevention and identity theft. | Our legitimate interests |
Administering your account
We will use your information to administer your account in several ways which includes: · collecting loan repayments. · providing you with account statements, notices, · providing you with information such as changes to your interest rate. · managing any arrears on your account. · enforcing any security that we have in place. · dealing with any queries or complaints that you may have. |
A contract we have with you, or because you have asked us to take specific steps before entering into a contract or our legal or regulatory obligations
|
We may also use your information in order to:
· recover debts due to us and keeping our records updated. |
Our legitimate interests |
Managing our business operations and our internal governance functions
We will use your information for the following purposes: · monitoring communications and activities in relation to your account. · accounting and audit purposes. · complying with our corporate governance requirements. · providing you with relevant products and services. · business support services. |
A contract we have with you, or because you have asked us to take specific steps before entering into a contract or our legal or regulatory obligations
|
We may also use your personal data to measure our operations and performance against our business and compliance aims and to ensure that we are running our business in an efficient and proper way. | Our legitimate interests |
Responding to your requests to exercise your legal or regulatory rights
Where you have made a request relating to your legal or regulatory rights, such as those detailed in the “your information rights” section of this notice, we need to process your personal data in order to process and respond to your request. |
Our legal or regulatory obligations
|
Performing statistical analysis and conducting market research
We may analyse your personal data and conduct market research, such as by asking our customers to complete feedback surveys, to help us better understand our customer base and the markets in which we operate or may wish to operate. |
Our legitimate interests |
Collecting information about how you use our website
See our Cookie Policy for more information. |
Our legitimate interests or where we have your consent |
Assisting third parties
To assist intermediaries or brokers with their management operations and managing our use of third parties, which includes: a) managing records about you. b) ensuring the type of business that third parties refer to us is appropriate. c) resolving any complaint made by you about a third party and/or any dispute between you and us regarding a third party. |
Our legal or regulatory obligations
|
We may also need to process your personal data to ensure that the third party is fulfilling the terms of their contract with us and that we act as a responsible lender. | Our legitimate interests |
Testing, improving and securing our products, services and systems
We may need to process your personal data to ensure the security, efficiency and reliability of our products, services and systems. |
Our legal or regulatory obligations or our legitimate interests |
Facilitating your entry into our competitions
Where you have entered one of our competitions, we may need to process your personal data to facilitate your entry and administer the prize draw. |
A contract we have with you, or because you have asked us to take specific steps before entering into a contract |
Facilitating your attendance at an event hosted by us
Where you have registered to attend on our events, we require your personal data to facilitate your attendance.
|
Our legitimate interests |
Making reasonable adjustments to our processes
We may record information relating to your health or personal circumstances where we need to make reasonable adjustments to our processes.
|
Our legal or regulatory obligations or where we have your explicit consent.
|
Criminal Conviction and Special Category Data
We will only process personal data relating to criminal convictions or offences and alleged offences where the law permits us to do so e.g. to perform checks to prevent and detect crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption and international sanctions or where we have your consent to do so.
Data protection law defines certain types of information as ‘special category data’. This includes details about your health and medical conditions. We will only process special category data where we have obtained your explicit consent to do so or another lawful basis exists, for example, where it is necessary for reasons of substantial public interest, such as to safeguard the economic well-being of individuals, preventing or detecting unlawful acts or preventing fraud.
Withdrawing Consent
Where we rely on your consent, you have the right to withdraw your consent at any time. Please submit your request here if you wish to do so.
We collect your personal data directly in several ways, including:
We obtain your personal data indirectly from third parties including:
If you are applying to us indirectly through a third party, then they should have provided you with their own privacy notice and if they did not, you should ask them for a copy.
So that we can provide you with products and services, meet our legal obligations and manage our business, it may be necessary to share your personal data with other third parties including:
We may share your information with any person that you have authorised to engage with us on your behalf or that otherwise has a legal authorisation to do so. This includes parents/guardians, carers, or any other helpers where you are unable to handle your own affairs for example power of attorney. We may share your information with any organisation you have appointed to act on your behalf or authorised to receive your information, such as law firms and claims management companies.
Please note that our website may contain links to other third-party websites. These websites will not be governed by this notice and we therefore recommend that you read the privacy and cookie notices on the other websites you visit.
To process your application, we will perform credit and identity checks on you with one or more CRAs. Where you have a mortgage with us we may also make periodic searches at CRAs to manage your account with us. To do this, we will share your personal data with CRAs and they will give us information about you. This will include:
We will use this information to:
We will continue to share information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. When CRAs receive a search from us they will place a search footprint on your credit file that maybe seen by other lenders.
If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal data, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA information notice (CRAIN) which is accessible from each of the three CRAs:
TransUnion (formerly Callcredit)
The personal data we have collected from you will be shared with fraud prevention agencies to help us make credit related decisions. Fraud prevention agencies will also use your personal data to prevent fraud and money-laundering and to verify your identity.
We may automatically decide that you pose a fraud or money laundering risk because of our fraud prevention searches or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services, financing or employment to you.
We will only transfer your information outside the United Kingdom (“UK”) when the law permits us to do so. We usually do this in order to share your personal data with organisations who provide us business support services or our professional advisors.
Should we transfer your personal data to any other territories or countries outside the UK we ensure appropriate safeguards are in place, where required, to maintain the same levels of protection as are needed under data protection laws in the UK.
We use systems to make automated decisions about you or your business when:
Our automated decisions use profiling which means that we use your personal data to make decisions that can affect the products, services or features we may offer you now or in the future, or the price that we charge you for them. For example, if you do not meet an element of our lending criteria (such as being over 18 or being a resident in the UK) any application for credit will be automatically declined. If you do meet our lending criteria, the amount we lend, the term of your loan and the interest we charge on your loan will be determined by your credit status.
Reviewing an Automated Decision
For more information or to exercise these rights please submit your request here.
Except as otherwise permitted or required by law or regulation, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for (as described in this privacy notice), as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. This will be for a minimum of 6 years from the date our legal relationship with you has ended (for example, after a service has ended, a transaction has completed, or your account has closed and there are no outstanding matters to be addressed, such as a payment or complaint). If your application is declined, we will store your personal data in accordance with our record retention procedures and to comply with our legal obligations.
To determine the appropriate retention period for personal data, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means. In some circumstances, we may anonymise your personal data so that it can no longer be associated with you.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We strive to ensure that your personal data is kept up to date and accurate. If any of the personal data you have given to us or third parties changes, such as your contact details, homeownership status, employment status or marital status, please promptly inform us in accordance with the terms and conditions of your agreement with us.
You will be required to provide us with any changes to your personal data under the agreement you enter into with us if your application for a credit or savings product is accepted. If you fail to do so this will put you in breach of your agreement.
Subject to applicable laws, we will monitor and record calls, emails, text messages, social media messages and other communications. We will do this for the purposes of complying with applicable laws and regulations and our own internal policies and procedures, to prevent or detect crime, to protect the security of our communications systems and procedures and for quality control and staff training purposes
We keep this Notice under regular review and any updates will be posted on our website in the most recent version of the Privacy Notice. Where appropriate changes may be notified to you by post or email.
Last updated: August 2025
Our lines are open
Mon-Fri 9:00am – 5:30am.
Calls may be recorded.
Your BDMs
You've clicked a link that takes you off of our site. No need to panic!
Just click the continue button and we'll take you through to the other site.
If you do not wish to proceed click below to return to our website.