Privacy Policy

How we collect, use and protect your personal data.

1. Who We Are

Bright Box Financial Services Ltd is the data controller responsible for your personal data. We are a mortgage and protection broker authorised and regulated by the Financial Conduct Authority.

  • Company name: Bright Box Financial Services Ltd
  • Company number: 11025107 (registered in England & Wales)
  • Registered office: 101 New Cavendish Street, London, W1W 6XH
  • FCA reference: 823508
  • Email: hello@brightboxfs.co.uk

Our offices are located at 1 Station Rd, Kings Langley, WD4 8LZ and 1345 High Rd, London, N20 9HR.

2. What Data We Collect

We may collect the following types of personal data depending on how you interact with us:

Information you give us directly

  • Full name, date of birth and contact details (email, phone number, address)
  • Employment and income details
  • Financial information such as bank statements, credit commitments and existing mortgage details
  • Identification documents (passport, driving licence)
  • Information about your property or the property you wish to purchase
  • Details about your health or lifestyle (where relevant to protection insurance applications)
  • Recordings of telephone calls (we record calls for accuracy, training, regulatory compliance and dispute resolution purposes)

Information collected automatically through our website

  • Your IP address, browser type and operating system
  • Pages you visit and how long you spend on them
  • The website you came from (referral source)
  • Device information (screen size, device type)

Information from third parties

  • Credit reference agencies (when conducting affordability checks)
  • Lenders and insurers (in connection with your application)
  • Calendly (when you book a consultation through our website)

3. How We Use Your Data

We use your personal data for the following purposes:

  • To provide mortgage and protection advice tailored to your circumstances
  • To submit applications to lenders and insurers on your behalf
  • To manage your consultation bookings (via Calendly)
  • To communicate with you about your case, including updates and follow-ups
  • To comply with our regulatory obligations under the FCA and anti-money laundering regulations
  • To improve our website and understand how visitors use it (via analytics)
  • To respond to enquiries you send us by email or phone

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we rely on the following lawful bases to process your personal data:

Lawful basis When it applies
Contract When we need to process your data to provide mortgage or protection advice and fulfil our agreement with you.
Legal obligation When we are required to process data to comply with FCA regulations, anti-money laundering laws, or other legal requirements.
Legitimate interests When we use data to improve our services, website functionality, and to communicate with you about relevant matters, provided this does not override your rights.
Consent When you give us specific permission, for example by booking a consultation via Calendly or opting in to receive communications from us. You can withdraw consent at any time.

Where we process special category data (for example, health information for protection insurance), we do so with your explicit consent.

5. Cookies and Website Analytics

Essential cookies

Our website uses a small number of essential cookies that are necessary for the site to function correctly. These do not require your consent.

Google Analytics

We use Google Analytics (GA4) to understand how visitors use our website. Google Analytics collects anonymised data about your visit, including pages viewed, time on site, and how you arrived at our website. This data helps us improve our content and user experience.

Google Analytics uses cookies to collect this information. The data is processed by Google in accordance with their privacy policy. You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on.

Google Fonts

Our website loads fonts from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). When you visit our site, your browser connects to Google's servers to download these font files. Google may collect your IP address and browser data as part of this process. You can read more in Google's Fonts privacy information.

What we do not use

We do not use advertising cookies, social media tracking pixels, or any form of behavioural advertising on our website.

6. Third Parties We Share Data With

We only share your personal data when it is necessary to provide our services or when we are legally required to do so. The third parties we may share data with include:

  • Mortgage lenders — to submit and progress your mortgage application
  • Insurance providers — to arrange protection policies on your behalf
  • Credit reference agencies — to carry out affordability and identity checks
  • Our network and compliance partners — as required by our regulatory obligations
  • Calendly — when you book a consultation, Calendly processes your name, email address and any information you include in the booking form. Calendly's privacy policy is available at calendly.com/privacy
  • Google — through Google Analytics and Google Fonts as described above
  • Solicitors and conveyancers — where relevant to your property transaction
  • Regulatory bodies — such as the FCA and the Information Commissioner's Office, where required by law

We do not sell your personal data to any third party.

7. How Long We Keep Your Data

We retain your personal data for as long as necessary to fulfil the purposes described in this policy. Our standard retention periods are:

  • Mortgage and protection case files: at least 6 years from the date of completion or last contact, in line with FCA requirements
  • Identity and anti-money laundering records: 5 years after the end of our business relationship, as required by law
  • Website analytics data: anonymised and aggregated; individual data is retained by Google in accordance with their retention settings (we use a 14-month retention period)
  • Consultation booking data: retained by Calendly in accordance with their data retention policy and deleted from our systems after the purpose has been fulfilled
  • Enquiry emails: retained for up to 3 years unless they relate to an active case

When data is no longer needed, it is securely deleted or anonymised.

8. How We Protect Your Data

We take the security of your personal data seriously and have appropriate technical and organisational measures in place, including:

  • Encrypted email communication for sensitive documents
  • Secure, password-protected systems for client records
  • Regular reviews of our data handling and security practices
  • Limiting access to personal data to authorised staff only

While no method of transmission over the internet is completely secure, we take all reasonable steps to protect your information.

9. International Data Transfers

Some of the third-party services we use (such as Google and Calendly) may process data outside of the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions recognised by the UK government, to protect your data to a standard consistent with UK GDPR.

10. Automated Decision-Making

We do not use automated decision-making or profiling to make decisions that produce legal or similarly significant effects on you. All mortgage and protection advice is provided by a qualified human advisor. Please note that lenders and credit reference agencies may use automated processes as part of their own assessments — their privacy policies will explain how they use your data.

11. Marketing Communications

We may contact you with information about mortgage products, rate changes, or services that may be relevant to you. We will only do so where we have your consent or where we have a legitimate interest and you have not opted out.

You can opt out of marketing communications at any time by:

  • Clicking the unsubscribe link in any marketing email we send
  • Emailing us at hello@brightboxfs.co.uk and asking to be removed from our mailing list

Opting out of marketing will not affect any communications necessary for the management of your mortgage application or ongoing service.

12. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — you can request a copy of the personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate or incomplete data
  • Right to erasure — you can ask us to delete your data where there is no compelling reason for us to continue processing it
  • Right to restrict processing — you can ask us to limit how we use your data in certain circumstances
  • Right to data portability — you can request your data in a structured, commonly used format
  • Right to object — you can object to processing based on legitimate interests
  • Right to withdraw consent — where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please contact us at hello@brightboxfs.co.uk. We will respond to your request within one month.

13. How to Complain

If you are unhappy with how we have handled your personal data, we would like the chance to put things right. Please contact us first at hello@brightboxfs.co.uk.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, regulatory or operational reasons. Any significant changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.

15. Contact Us

If you have any questions about this privacy policy or how we handle your personal data, please get in touch:

  • Email: hello@brightboxfs.co.uk
  • Post: Bright Box Financial Services Ltd, 101 New Cavendish Street, London, W1W 6XH