Privacy Policy

Please read and become familiar with our privacy policy.

About our notice

This privacy notice tells you what to expect when Greenlight Credit Ltd collects personal information. Greenlight Credit Ltd will, when delivering services, collect and use personal information only which is relevant to the work that we are undertaking and which will be controlled, stored and processed in accordance with the Data Protection Legislation however it is collected, recorded and used; whether it be on paper, in electronic media form or recorded by other means.

We consider the lawful and correct treatment of personal information by the company as critical in maintaining the confidence of our customers, clients and staff; we therefore manage and process personal information lawfully and correctly.

We will, through appropriate management and by strict application of criteria and controls:

  • Observe fully the conditions regarding fair collection and use of information.
  • Meet its legal obligations to specify the purposes for which information is used.
  • Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
  • Ensure that the quality and accuracy of information used is adequate and is maintained.
  • Apply strict checks to determine the length of time information is held and that it is stored for no longer than is necessary.
  • Provide the source of where the personal data originates from and whether it came from publicly accessible sources.
  • Take appropriate technical and organisational security measures to safeguard personal information.
  • Ensure that personal information is not transferred abroad to countries to which transfers are not permitted under the Regulations.
  • Ensure that the rights of people about whom information is held are able to be fully exercised under the Regulations.
    • These include: the right to be informed that processing is being undertaken, the right of access to one’s personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information.
    • They also include the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority.
  • If you fail to meet your loan repayment obligations your car will be at risk of repossession.
  • Your credit rating may be adversely affected.

Personal Data

Personal Data defined under the Data Protection Legislation means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Information is likely to be classed as Personal Data if any of the following criteria are met:

  • Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?
  • Does the data “relate to” the identifiable living individual, whether in their personal or family life, business or profession?
  • Is the data “obviously about” a particular individual?
  • Is the data “linked to” an individual so that it provides particular information about that individual?
  • Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
  • Does the data have any biographical significance in relation to the individual?
  • Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
  • Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

The information storage and processing systems used by Greenlight Credit Ltd are certified as compliant with the International standard for information security management systems (ISMS), ISO 27001:2013. This is designed to ensure that:

  • There is an officer appointed with specific responsibility for data protection within the organisation: You may contact our Data Protection Officer by telephone on 44 (0) 330 440 0101, via e-mail at, by using the Contact us page on our web site or by letter to Greenlight Credit Limited, Hersham Technology Park, Molesey Road, Walton-on-Thames, Surrey KT12 4RZ.
  • Everyone handling, managing and working with personal information understands that they are contractually and legally responsible for following the Regulation and good data protection practice.
  • Everyone handling, managing and working with personal information is appropriately trained to do so.
  • Everyone handling, managing and working with personal information is appropriately supervised.
  • Anyone wanting to make enquiries about personal information knows how to do so.
  • Queries about personal information are promptly and courteously dealt with, in accordance with the Regulation.
  • Methods of handling, managing and working with personal information are clearly described.
  • A regular review and audit is made of the way personal information is managed.
  • Methods of handling, managing and working with personal information are regularly reviewed, assessed and evaluated.
  • The performance of the methods and process is regularly reviewed, assessed and evaluated.


Greenlight Credit Ltd adheres to the Principles of Data Protection Legislation. The principles set out the main responsibilities for organisations. The requirements set out that personal data shall be;

a) Processed lawfully, fairly and in a transparent manner in relation to individuals;

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of individuals; and

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Visitors to our Websites

When someone enters our websites, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.


Cookies are small text files that are placed on your computer when you visit our site. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The table below explains the cookies we use and why. We use cookies and similar technologies for several purposes, including:

  • Social media. Some of our websites include social media cookies, including those that enable users who are logged in to the social media service to share content via that service.
  • Feedback. We may use cookies to enable you to provide feedback on a website.
  • Analytics. In order to provide our products, we may use cookies and other identifiers to gather usage and performance data. For example, we use cookies to count the number of unique visitors to a web page or service and to develop other statistics about the operations of our services. This includes cookies from us and from third-party analytics providers.
  • Performance. We use cookies for load balancing to ensure that websites remain up and running.

Third party cookies

Google Analytics

We use Google Analytics to monitor traffic levels, search queries and visits to this website. Google Analytics stores IP addresses (anonymously) on its servers in the United States, and neither The Sheriff’s Office nor Google associate your IP address with any personally identifiable information. A mixture of both persistent and session cookies are used to enable Google to determine whether you are a return visitor to this site and to track the pages that you visit during your session.

More information about Google’s cookie policy can be read at

In addition to the cookies we set when you visit our websites, third parties may also set cookies when you visit our sites. In some cases, that is because we have hired the third party to provide services on our behalf, such as site analytics. In other cases, it is because our web pages contain content from third parties. Because your browser connects to those third parties’ web servers to retrieve that content, those third parties are able to set or read their own cookies on your device and may collect information about your online activities across websites or online services.


This cookie tracks how our Facebook campaigns perform so we can personalise each campaign to you. These cookies track the pages you have visited on our site which we can then use to make the advertising we target to you on Facebook or our own website more relevant to you.

We may use this information from cookies on the website to advertise to you other products and services from the Greenlight Credit Limited group of companies.  One example would be advertising to you competitions from the website which is part of Greenlight Credit Limited.

For more details on the Facebook cookies and information collected through Facebook pixels please see here


We use Adalyser to monitor traffic levels and visits to this website.

Adalyser uses these cookies:

  • Strictly necessary cookies: to let you move around the site and use all the basic features.
  • Functionality cookies: to improve the way the site works by storing your preferences.
  • Performance cookies: they give you a better user experience of our website.
  • Advertising cookies: our third party partners collect information about how you use the internet, so they can provide you with advertising that’s more likely to interest you.

For more information about Adalyser cookies read


We use Hotjar to track users on this website. Hotjar stores first party cookies on visitors browsers. Cookies that Hotjar may store in a visitors browser on are:

  • _hjIncludedInSample – This session cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate Heatmaps, Funnels, Recordings, etc.

For more information about the cookies that Hotjar uses and their data safety, security and privacy please visit

How to control cookies

Most web browsers automatically accept cookies but provide controls that allow you to block or delete them. Most browsers allow you to refuse to accept cookies; however, blocking cookies will have a negative impact upon the usability of some websites.

You can opt out of data collection from Google Analytics by clicking on this link

Information Processing

Data subjects have a right, as set out in the Regulation, to obtain the personal information which is stored and used by us, and can obtain this information by contacting the Data Protection Officer whose details are given in this document. The data comprising the personal information will be delivered to the data subject in a secure manner and in a format which is readily accessible using common proprietary data access tools.

What information do we Process?

The information that we obtain may be dependent upon the nature and context of your enquiry or instruction. The information that we collect can include the following:

  • We receive basic personal information from our customers when a loan is applied for.
  • The personal information which is obtained and stored consists of name, address, car registration number, telephone number, date of birth, IP address and location data from online analytics services such as city or postcode.
  • We also may collect other information; however this is not personally identifiable.
  • We hold information we received when making a decision about you, your loan or application (including information collected from the Credit Reference Agencies).
  • We hold details of the loans you have and have had with us and all transactions.
  • We hold details of when you contact us and when we contact you.
  • We obtain information by recording how persons use our websites by means of embedded technology such as cookies, and by receiving written enquiries and usage data from relevant forms hosted on our website.
  • Calls to our telephone system may be recorded and Calling Line Identity (CLI) numbers are identified and stored where they are not withheld.
  • To obtain a loan some or all of the above personal information is required. Failure to provide the appropriate information where required will result in a loan being declined. The contractual requirements of a loan agreement require some of this personal information and will not be valid if the required personal information is not available.
  • We also obtain data from third parties.
  • We protect data obtained from third parties according to the practices described in this statement, together with any additional restrictions that are imposed by the source of the data. These third-party sources vary over time, but have included:
    • Data brokers from whom we purchase demographic data
    • Service providers that help us determine a location based upon your IP address
    • Partners with whom we offer co-branded services or engage in joint marketing activities
    • Publicly-available sources such as open government databases or other data in the public domain

The Purpose of Data Processing

  • The personal information which we obtain, store and process is necessary and is used to enable us to assess an applicant for a loan and contact the customer during the period of the loan if needed.
  • Automated decision making may be used in the form of credit checks and vehicle valuations. Decisions on lending are made based on income and expenditure, vehicle value, past payment history, age, length of time in employment, type of wage payment (cash or directly into bank) and condition of vehicle.
  • If a customer does not adhere to the terms of the loan agreement, repossession agents and administrative staff are employed by us to enforce agreements or repossess a customer’s vehicle.
  • We may keep details of any phone number(s) that you call us from and use them to contact you.
  • For marketing purposes we may contact you by telephone or by e-mail or other means to inform you when a publication or presentation which may be of professional interest is available or to enquire or to advise about a service enquiry that you have made, or to invite you to participate in a survey or to attend a commercial event. For information about how to manage, edit or to delete contact data which contains your personal information, please use the contact section at the bottom of this privacy notice.
  • For advertising purposes we may use personal information contained in e-mail, telephone calls or voicemail, or your documents, or data files to target advertisements to you in respect of all product offerings from Greenlight Credit Limited and our associated brands Varooma and Bonanza Giveaways.
  • If you provide us with any debit card details, either during the loan application or subsequently, we will keep those details and may use the details to take further payments both on your current loan and on any subsequent loans.
  • If a card is identified as having been used fraudulently then we will maintain a record of its use for reporting and preventing fraud; the card details will be deactivated to ensure that they can no longer take payment.
  • When we are managing your account, we may be given sensitive information such as medical information. We will hold and process this information to allow us to make decisions about you and your accounts with us.
  • When we are required to obtain health information where it is relevant to issues of vulnerability, the information obtained is used by administration staff and Enforcement Agents to alert creditors where they have identified such debtors. Enforcement Agents and relevant staff are trained to recognise and to manage interactions with vulnerable debtors, and when to withdraw from such situations.

How to Access and Control your Personal Data

You can submit a request to view, edit or delete any personal data that we hold and which is not retained for the purpose of writ or order enforcement.

Your Marketing Choices

You may opt out of receiving marketing information by contacting us at, or by un-subscribing using the link incorporated into all our e-mail communication. Because the data used for marketing may also be used for other necessary purposes, in such cases, opting out of marketing does not stop that data from being collected or stored.

Links to Other Websites

This privacy notice does not cover the links within this site linking to other websites. We recommend you to read the privacy notices on the websites you visit yourselves.

Changes to this Privacy Statement

We will update this privacy statement when necessary to reflect customer feedback and changes in our services. When we post changes to this statement, we will revise the “last updated” date at the top of the statement. If there are material changes to the statement or in how we will use your personal data, we will notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review this privacy statement to learn how we are protecting your information. This privacy notice was last updated on 1st May 2018.

How to Contact Us

If you have a privacy concern, complaint or a question for the Data Protection Officer, please contact us by email to We will respond to questions or concerns within 30 days. Unless otherwise stated Greenlight Credit Ltd is a data controller for personal data we collect through the products subject to this statement.

Our address is:

Greenlight Credit Limited, Airport House, Suite 43-45, Purley Way, Croydon, Surrey CR0 0XZ.

Open Banking

This section of our Privacy Policy relates to Open Banking and should be read in conjunction with the other clauses in our Privacy Policy.  In the event of conflict with any other clauses, this clause shall prevail.

What is Open Banking?

Open Banking is the secure way of providing access to your bank or building society account to providers who are registered for this purpose.

Registered providers and participating banks and building societies are listed under the Open Banking Directory.

Open Banking was set up by the UK Government to encourage more competition and innovation in the financial services sector.

As a forward thinking lender, we support the use of Open Banking as it allows us to process loan applications efficiently, securely and in our consumer’s best interests.

By permitting access to your bank or building society account information we are able to make a better lending decision as we shall be able to verify your income, outgoings and other matters in order to assess what loan terms would be suitable for you based upon what you can reasonably afford to repay.

Further information about Open Banking is available from

How will my personal data be shared and used for the purposes of Open Banking?

By proceeding with your loan application via our website you expressly consent to us sharing your personal, contact and loan application details (“the Shared Personal Data”) with our registered Open Banking partner, Perfect Data Solutions Limited (“PDS”) who are also a credit reference agency.  During your loan application we shall safely and securely direct you to PDS’s secure portal (“the Portal”) for the purposes of granting PDS access to your bank or building society account information (“Transaction Information”). As soon as your Transaction Information is received it shall be reported back to us in the form of a completed search in order that we may continue to process your loan application (“the Permitted Purpose”).

Further information about PDS including their registered provider and regulatory status is available from

Is Open Banking secure?

PDS are registered under the Open Banking Directory as an account information service provider and are also regulated by the Financial Conduct Authority as a payment services firm under number 802599.  Any data you submit via the Portal will be encrypted and its usage tracked as part of set Open Banking data security standards.

We are responsible for the secure transmission of any Shared Personal Data to PDS, for safely directing you to the Portal and for the safe receipt and usage of your Transaction Information.

You will not be required to share your banking password or log in details with either us or PDS.  Once you have given your explicit consent to share your bank account information on the Portal you will be directed to your own bank or building society’s login page where you will enter in your own login details directly.

Save as set out above or elsewhere in this Privacy Policy, we are not responsible for your direct data transmissions with PDS or with your own bank or building society.

How will my Shared Personal Data and Transaction Information be used?

PDS shall, subject to their own terms and conditions and privacy policy, and, if your bank or building society is registered to provide access under the Open Banking Directory, obtain your Transaction Information and submit this back to us for the Permitted Purpose. By way of example, the Transaction Information that we shall receive is likely to include information relating to your income, outgoings and credit worthiness.

PDS shall be entitled to re-access your Transaction Information for up to 90 days from the date of your original search result in order to refresh the search results, obtain a snapshot of your data or gather additional data.

PDS shall hold the Shared Personal Data and the Transaction Information they receive and retain according to their own terms and conditions and privacy policy, available on the Portal, which you will be required to read and consent to once directed their via our website.

As PDS are also a credit reference agency they may also share and keep a record of your Shared Personal Data and Transaction Information.

Will you use my Transaction Information data for any other purpose?   

The Transaction Information we receive about you will only be used for the Permitted Purpose.  We do not sell or share Transaction Information with any third party.

Save as set out above the information contained in the rest of this Privacy Policy deals with how we collate, use, transfer, store, delete and other terms applicable to your personal data including Shared Personal Data and Transaction Information.

Do I have to provide you with my consent to proceed?

Where your bank or building society have already permitted access to your Transaction Information you shall need to contact them directly in order to withdraw your consent under their particular Open Banking terms and conditions.

Are any of my other rights under this Privacy Policy affected?

Your individual data protection and privacy rights including the right to access, correct, delete, object, restrict, withdraw consent, request transfer and/or make a complaint, continue to apply to relevant personal data we control or process and are dealt with elsewhere in this Privacy Policy.

Under Open Banking as your personal data is shared by your bank or building society and accessed by PDS you may also be able to exercise your individual data protection and privacy rights against either of them pursuant to their own terms and conditions and privacy policies.


Responsible lending

Greenlight Credit Limited t/a Varooma are authorised and regulated by the Financial Conduct Authority FRN: 679701. To confirm our status feel free to search the financial services register, click here. We are upfront about the costs of our loans and only offer finance to those who meet our affordability criteria.