Skip to main content

Services Privacy and Cookie Policy

Last Updated

8 September 2020

When does this policy apply

This Policy and the Credit Kudos Services Terms of Use apply to your use of the Platform and the Services once you register to access the Platform and use the Services.

Here is the information we may collect about you

Information you voluntarily provide:

  1. If you contact us (by phone, email, web chat or through the Platform), we may keep a record of that correspondence for two years in case we need to contact you in relation to the issue for which you contacted us, for operational performance improvement and/or nuisance caller management. We will not use it for marketing purposes.
  2. If you report a problem with the Platform and/or the Services, we may keep that information for two years in case we need to contact you in relation to the issue you for which you contacted us, for operational performance improvement and/or nuisance caller management. We will not use it for marketing purposes.
  3. As part of providing our Services, we retrieve account information contained within your financial accounts. Once we've retrieved your account information, we store and process this as a CRA as part of our credit reference and credit information services activities, as detailed in the below section "Credit Reference Agency Processing". Credit Kudos keeps account information and credit information for up to six years. We will not use it for marketing purposes.

The information you give may include your name, address, telephone number, email address, and financial account details.

Information we collect about you and your device

As part of this contract for our services, we may ask for ongoing access to your account information for up to 90 days. You will be informed before you complete the authorisation process of exactly how long this ongoing access will continue. You may withdraw consent for Credit Kudos to have ongoing access to your account information at any time through our consent management dashboard, managing consents through your financial institutions, letting us know through our web chat or by emailing In order to manage your consent, we will ask that you either create a password while using our platform, or we will email you a personalised link to access the service.

If you are prompted to set a password and do not do so, or are unable to find your consent management link, you can manage your consent by contacting us directly through our web chat or by email. We will need to collect two forms of identification to verify you are the same individual for which we collected consent in the first place.

Your withdrawal of consent for Credit Kudos to have ongoing access to your account information will not affect the lawfulness of any data processing carried out by us using data accessed prior to the revocation of ongoing consent. At that time, you may also want to remove any cookies which have been placed on any device used to access the Website, Platform and/or Services.

We are authorised and regulated by the Financial Conduct Authority as a CRA (reference number 770345). As such, when you use the Platform and interact and with our Services, we may receive outcome data from third parties related to your financial standing. This means we will collect information about any applications you make to financial services companies via the Platform. When you use the Platform and interact and with our Services, we may use technology such as that provided by Google Analytics to collect information. You can find more information about Google Analytics here. Google Analytics enables us to analyse how you and others interact with our Platform. The information we collect may include:

  • your IP address;
  • the type of browser you use (e.g. are you using the Chrome or Safari browser?); and
  • the number of sessions per browser on each device;
  • the type of device (eg Samsung) and operating system (eg Android) you are using;
  • referrer information;
  • time zone;
  • user preferences; and
  • which pages you visited.
  • whether or not a credit product was granted;
  • whether you repaid that credit product or not; and
  • whether you are in arrears or default.

Credit reference agency processing

Credit Kudos is authorised by the Financial Conduct Authority to provide services as a CRA. CRAs receive personal data about individuals that’s part of, derived from or used in credit activity. The ways in which CRAs use this personal data include:

Credit reporting and affordability checks

  • Credit Kudos uses data it gathers to provide credit reporting services to its clients.
  • Institutions use credit reporting services to see the financial position of people and businesses. For example, a lender or creditor may check with a CRA when an individual or business applies for credit and the lender or creditor needs to make a credit decision taking into account that person or business’s credit history.
  • Affordability checks help Institutions understand whether people applying for credit or financial products (like loans) are likely to afford the repayments.
  • These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.

Verifying identity, and preventing and detecting criminal activity, fraud and money laundering

CRAs also use data to provide verification, crime prevention and detection services to Institutions, as well as fraud and anti-money-laundering services. For example:

  • When a person applies to an organisation for a product or service, the organisation might ask them to answer questions about themselves, and then check the answers against the data held by the CRA to see if they’re correct. This helps confirm the person they are dealing with is not trying to commit identity theft or any other kind of fraud.
  • If a person applies for credit the lender or creditor might check the personal data that person gives them against the personal data held by CRAs to try and prevent fraud.

Account management

CRAs supply information including personal data to their clients for account management, which is the ongoing maintenance of the client organisation’s relationship with its customers. This could include activities designed to support:

  • data accuracy (such as data cleansing - where bureau data can be used to clean or update lender data. This might involve checks that data is in the right format or fields, or to correct spelling errors);
  • clients’ ongoing account management activities. (For example, data sharing with lenders and creditors so clients can make decisions relating to credit limit adjustments, transaction authorisations, and to identify and manage the accounts of customers at risk, in early stress, in arrears, or going through a debt collection process, or to confirm that assets are connected to the right person).

Tracing and debt recovery

CRAs may also use personal data to support debt recovery and debtor tracing.

Statistical analysis, analytics and profiling

CRAs can use and allow the use of personal data for statistical analysis and analytics purposes, for example, to create scorecards, models and variables in connection with the assessment of credit, fraud, risk or to verify identities, to monitor and predict market trends, to allow use by lenders for refining lending and fraud strategies, and for analysis such as loss forecasting.

Database activities

CRAs carry out certain processing activities internally which support databases effectiveness and efficiencies. For example:

  • Data loading: where data supplied to CRAs is checked for integrity, validity, consistency, quality and age help make sure it’s fit for purpose.
  • Data matching: where data supplied to CRAs is matched to their existing databases to help make sure it’s assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. CRAs use the personal data people give lenders together with data from other sources to create and confirm identities, which they use to underpin the services they provide.
  • Data linking: as CRAs compile data into their databases, they create links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.
  • Systems and product testing: data may be used to help support the development and testing of new products and technologies.

Other uses with an individual’s permission

From time to time Credit Kudos may use the personal data they hold or receive about individuals for other purposes where the individual has given consent.

Uses as required by or permitted by law

Personal data may also be used for other purposes where required or permitted by law.

Our use of aggregated or anonymised information

We may provide aggregate user statistics and other usage data which does not identify you specifically with third parties. We may combine your data with those of other users of our Platform and share or provide this information in aggregated and anonymised form with third parties. For example, if we establish that users who obtain their gas and electricity from the same energy retailer are less likely to default on a loan then we may share such information with loan providers, but we would only ever do this with anonymised and aggregated data from which it would be impossible to identify an individual.

We may also use information collected from you and combine it with information provided by other users of our Platform to help us improve the design and delivery of our software tools, increasing the effectiveness for all users.

This is who we share your information with

We will only share information with other organisations where we have your permission to do so in accordance with this Policy or where we believe it is necessary for a legitimate reason connected with the Platform or our Services.

We share personal data with third parties in a transaction to provide our CRA services. We work with analytics providers, banks and other credit providers and we may receive information about you from them. We also work with Twitter, Google, Facebook and LinkedIn to allow you to register for the Services using the credentials that you have with those companies. Below is a non-exhaustive list of third parties we work with. We may work with third parties not listed below or stop working with the third parties listed below.

Name of third party Why we work with them
Google AnalyticsTo monitor Platform and Website performance & user experience
Various banks and providers of creditTo enable us to provide the Services, including by enabling us to provide transaction data to those banks and providers of credit.
Google Apps for WorkTo process emails
GoogleTo allow you to register for the Services using the credentials that you have with this company
IntercomTo allow you to interact with us via email and live chat

In addition, we may disclose your personal information to third parties:

  • if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request;
  • to enforce or apply our Credit Kudos Services Terms of Use and other agreements or to investigate potential breaches; or
  • to protect the rights, property or safety of our Platform or our users.

Depending on the service, there may be times where we share your data, with your consent, with credit brokers. In such instances, credit brokers may share your data with third party lenders. You should check the Privacy Notice of the credit broker concerned for a full list of the lenders the data may be shared with. This will also explain the basis on which a credit broker or lender may use your personal data. Credit Kudos has no oversight or responsibility for third party Privacy Notices.

Our use of cookies, pixels and local storage

Cookies are small pieces of data that are stored on your computer, mobile phone or other device. Pixels are small blocks of code on web pages that do things like allow another server to measure viewing of a Web page and are often used in connection with cookies. HTML5 Local Storage is a small database located inside your browser which web pages can use to store data to speed up their processing. We may use all three technologies from time to time, to help improve your browsing experience.

Cookies do lots of different jobs, like letting you navigate between pages efficiently, storing your preferences, and generally improving your experience of our Platform. Cookies make the interaction between you and our Platform faster and easier. We use cookies to distinguish you from other users of the Platform and our Services. This helps us to provide you with a good experience when you use the Platform and also allows us to improve the Platform and Services. Cookies and other things like local storage also help us authenticate you to deliver personalised content.

We have outlined below the individual cookies we use and why we use them:

Cookie NameExpiry PeriodPurposeMore Information
_ga2 yearsUsed by Google Analytics to distinguish users Google Analytics Cookie Usage
_gat10 minutesUsed by Google Analytics to throttle request rate Google Analytics Cookie Usage
_creditkudos_sessionSessionUsed by Credit Kudos to maintain your logged in statusPrivacy Policy
intercom-session1 weekUsed by Intercom to offer live-chat functionalityIntercom Privacy Policy
mf_*SessionUsed by Mouseflow to analyse interactions with the PlatformMouseflow Privacy Policy
mf_user3 monthsUsed by Mouseflow to distinguish usersMouseflow Privacy Policy
mp_#1 yearUsed by Mixpanel to analyse interactions and visits within the PlatformMixpanel Privacy Policy
mp_mixpanel__c1 dayUsed by Mixpanel to distinguish usersMixpanel Privacy Policy

Please refer to your device’s help material to learn what controls you can use to remove or block cookies. Please remember that if you do this, it may affect your ability to use the Platform and/or the Services. As you use your device, you will encounter third parties that make use of cookies and similar technologies. We are not responsible for those third parties or what they may place on your device or in your browser.

This is where we store your information

The data that we collect from you may be processed outside the European Economic Area (EEA) (for example if a bank from which you are applying for a loan needs to seek authorisation from one of its subsidiaries overseas). Some of our service providers are located in the United States or other countries that do not provide the same standard of data protection as the EU. Where we work with a service provider, we look for a legal mechanism that requires them to protect data to EU standards. For example, the service provider has signed on to the EU-US Privacy Shield, operates under EU-approved binding corporate rules, or is in a country the EU recognises as having adequate data protection laws. Where no other legal mechanism exists, we enact the EU-approved standard contractual data protection clauses in our contracts.

Keeping your information secure

All information you provide to us is stored on servers owned and operated by Amazon Web Services, Inc. More information on this provider is available at

Here are your rights

Most of the data we collect and the purposes we use it for are necessary for us to operate and improve our services or comply with our obligations as a CRA. We tell you in the service where you can make a choice or grant consent regarding your data. When you grant consent, you may withdraw it at any time to stop any further data collection. You can also ask us at any time not to send or to carry out profiling for direct marketing, or to stop using certain kinds of cookies.

If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live or work, or where you believe a breach may have occurred.

If you want to stop using the Platform and the Services, you may do so. If you do, you may also want to remove any cookies that we have placed on any device used to access the Platform and the Services.

Credit Kudos has additional legitimate interests as a Credit Reference Agency that affect your rights:

Lending decisions

CRAs don’t tell a lender if it should offer an individual credit – this is for the lender to decide. CRA provide data and analytics that help lenders make decisions about lending. The scoring tools and data CRAs provide may profile individuals, and are often a valuable tool in the lender’s overall processes and with the criteria they use to make their decisions. A lender’s own data, knowledge, processes and practices will also generally play a significant role in that lender’s business decisions - and lender decisions will always remain for lenders to make.

The same analytics from a CRA may lead to different decisions from different lenders, as they can place differing importance on some factors than others. That’s why an individual may receive a “yes” from one lender but a “no” from another.

The data CRAs provide is just one of the things that a lender might take into account when they make a lending decision. The lender might also take into account data provided by the person applying for credit, as well as any other data available to the lender from other sources. Each lender will have its own criteria for deciding whether or not to lend.

Scores and ratings

When requested, CRAs do use the data they obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings. CRAs don’t tell a lender if it should offer an individual credit – this is for the lender to decide. Each CRA and each lender will have its own criteria for how to calculate a credit score. CRAs may provide or make available further information on profiling where necessary from time to time.

Data Rights and Responsibilities

You may have certain rights under data protection law. These include the right to ask us for a copy of your personal data, to correct, delete or restrict processing of it, and to obtain personal data in a format you can share with a new provider. You may have the right to object to processing. These rights may be limited in some situations - for example, where we can demonstrate that we have a legal requirement to process your data. You can exercise your data protection rights by contacting us at We will require you to prove your identity with 2 pieces of approved identification.

Data Access Right

Individuals have a right to find out what personal data the Credit Reference Agencies hold about them.

To get online information:

To make a request by post: Credit Kudos, Data Access Team, 4 Bath Place, London EC2A 3DR

Data Portability Right

Data protection legislation (the GDPR) also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is not a right that will apply to bureau data because this data is processed on the grounds of legitimate interests.

Incorrect Data and Rectification

When the CRAs receive personal data, they perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, the CRAs rely on the suppliers to provide accurate data.

If an individual thinks that any personal data a CRA holds about them is wrong or incomplete, individuals have the right to challenge it. It’s worth knowing that the CRA won’t have the right to change the data without permission from the organisation that supplied it, so the CRA will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.

If the data does turn out to be wrong, the CRA will update its records accordingly. If the CRA still believes the data is correct after completing their checks, they’ll continue to hold and keep it - although an individual can ask them to add a note to their file (a notice of correction) indicating that they disagree or providing an explanation of the circumstances.

Objections and Data Deletion

To understand data protection rights to object to personal data being used and how to ask for it to be deleted, and how they apply to the processing of bureau data, it’s important to know that the CRAs hold and process personal information in bureau data under the Legitimate Interests ground for processing (see above for more information about this), and don’t rely on consent for this processing. Individuals have the right to lodge an objection about the processing of personal data to a CRA by contacting the CRA directly.

Whilst everyone has complete freedom to contact a CRA with an objection at any time, under the General Data Protection Regulation, the right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.

Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over indebtedness, fraud and money laundering) it will be very rare that the CRAs do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it won’t be appropriate for the CRAs to restrict or to stop processing or delete bureau data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.

Restrictions on Processing

In some circumstances, individuals can ask CRAs to restrict how they use personal data as set out in Article 18 of the GDPR.

This is not an absolute right, and personal data may still be processed where certain grounds exist. This is:

  • With an individual’s consent;
  • For the establishment, exercise, or defence of legal claims;
  • For the protection of the rights of another natural or legal person;
  • For reasons of important public interest.

Only one of these grounds needs to be demonstrated to continue data processing. Credit Kudos will consider and respond to requests we receive, including assessing the applicability of these exemptions.

Please note that given the importance of complete and accurate credit records, for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data - in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state.

International regulations

Credit Kudos is authorised and regulated in the United Kingdom by the Financial Conduct Authority for Account Information Services provided within the United Kingdom.

Third party properties accessed from the platform

Our Platform and Services may contain links to and from the online properties of third parties. If you follow a link to any of these online properties, please note that these online properties have their own privacy policies which will govern use of any personal data that they process. Please check these policies carefully before you click on any links and/or submit any personal data to these online properties.

Change of control

If the ownership of our business changes, we may transfer your information to the new owner so they can continue to operate the Platform and provide the Services. The new owner will be obliged to comply with this Policy.

Changes to our policy

Any changes we may make to this Policy in the future will be posted on this page. Where it makes sense because the changes are material, we will notify you of the changes by e-mail or in another appropriate manner such as when you next interact with the Platform.

Contacting us is easy and we want to hear from you

We really do welcome any questions, comments and requests you may have regarding this Policy. You can contact us by emailing us at