1. Introduction
This Privacy Notice explains how No1 CopperPot Credit Union (“we”, “us”, “our”) collects, uses, stores, shares, and protects your personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and applicable financial services regulations.
This Notice applies to:
• Current and former members
• Applicants for membership, loans, or other products
• Individuals who submit enquiries or complaints
• Individuals whose data has been provided by a member (e.g., associates, beneficiaries, guarantors)
• Website users, mobile app users, and social media users
By interacting with us, you acknowledge that your personal data will be processed in accordance with this Privacy Notice.
2. Our Commitment to your Privacy
We are committed to:
• Protecting your personal information
• Processing your data lawfully, fairly, and transparently
• Keeping your information secure
• Allowing you control over how your data is used
• Not selling your personal data
• Providing you with access to your rights
• Ensuring all suppliers follow strict security and confidentiality standards
3. About Us
Data Controller:
No1 Police Credit Union trading as No1 CopperPot Credit Union
Registered address: Slater House, Oakfield Road, Cheadle Royal Business Park, Cheadle, Cheshire SK8 3GX
ICO Registration Number: Z7902893
Authorised and regulated by the FCA and PRA: 213301
Registered in England and Wales under company number: IP000078
Data Protection Requests:
Email: info@no1copperpot.com
Phone: 0161 741 3160
Address: Slater House, Oakfield Road, Cheadle Royal Business Park, Cheadle, Cheshire SK8 3GX
4. Where We Collect Your Personal Information From
Information You Provide Directly
| Description / How Data Is Obtained | Examples of Data Received |
| Information you provide when interacting with us or completing forms | Name, address, email, phone number, financial details, income, ID documents, date of birth, eligibility information, application data, vulnerability disclosures |
| Membership & product applications | Income verification, employment details, bank statements, proof of residence |
| Communications with us | Call recordings, email content, complaints, requests, feedback |
| AI chatbot interactions | Conversation transcripts, topic categories, browsing behaviour |
| Uploaded documents | Passport, driving licence, payslips, employer letters, benefit letters |
| Surveys, competitions & feedback | Survey responses, preferences, opinions |
Information from Third Parties
| Description / How Data Is Obtained | Examples of Data Received |
| Credit Reference Agencies (CRAs) | Credit score, repayment history, financial associations, credit accounts, electoral roll data |
| Fraud Prevention Agencies (FPAs) | Identity matches, sanctions data, suspected fraud, AML risk indicators |
| Public & government sources | Electoral register, insolvency register, Companies House records, court judgments |
| Regulators & authorities | Information provided by DWP, HMRC, FCA, PRA, police or law enforcement |
| Employers & payroll providers | Salary details, employment status, payroll deduction information |
| Other financial service providers | Account verification data, payment and transfer information |
| Identity verification services | Biometric verification results, document authenticity checks |
| Market research / analytics providers | Demographic insights, product usage trends (not used for targeted advertising) |
5. Types of Personal Data We Collect
| Category | Examples |
| Financial Information | Income, expenditure, credit commitments, savings, payment history, tax residency |
| Contact Information | Name, address, email, phone numbers |
| Socio-Demographic | Employment, occupation, nationality, household size |
| Transactional | Account activity, payments, transfers, loan repayments |
| Contractual | Products held, terms accepted, application data |
| Locational | Approximate location from IP address |
| Behavioural | How you use products and services |
| Technical | IP addresses, device info, browser type, login logs |
| Communication Data | Emails, AI chatbot, recorded calls, secure messages |
| Documentary Data | Passport, driving licence, bank statements, payslips |
| Social/Relationship Data | Next of kin, children, beneficiaries, guarantors |
| Open Data / Public Records | Electoral register, public court records, Companies House |
| Usage Data | How you use products and services |
| Gender Identity | Self-identified gender |
| Special Category Data | Processed only when legally permitted and includes health, ethnicity, religion racial/ethnic origin, beliefs, union membership, genetic or biometric data, lifestyle, health, or sexual orientation. You can read how we may use special types of data in the table |
| Criminal Offence Data | Fraud alerts, sanctions screening results |
| Marketing Preferences | Your communication choices |
| National Identifiers | National Insurance number, tax reference numbers |
6. How We Use Your Personal Data & Our Lawful Bases for Processing
We only use your personal data where we have a lawful reason to do so under the UK GDPR and the Data Protection Act 2018. This section explains why we process your information, how it is used, and the relevant lawful basis.
We may rely on more than one lawful basis depending on the processing activity.
How We Use Your Personal Data – Lawful Basis Explained
| General Data | |||
| Purpose of Processing | Description of What We Do | Lawful Basis Under UK GDPR | What This Means for You |
| Providing membership services | Set up, manage and administer your membership, accounts and services | Contract | We need this data to provide your account and services. |
| Assessing applications (loans, products, services) | Affordability checks, identity verification, creditworthiness assessments | Contract Legitimate Interests |
Required to assess eligibility, prevent fraud and comply with regulations. |
| Performing credit, fraud and AML checks | Verify identity, prevent financial crime, meet FCA/AML rules | Legal Obligation Legitimate Interests |
Required by law, cannot opt out. |
| Managing accounts and transactions | Processing deposits, withdrawals, payments, transfers | Contract | Necessary to operate your financial services. |
| Monitoring and improving services | Quality checks, performance monitoring, staff training, complaint handling | Legitimate Interests | Used to improve accuracy, service levels and security. |
| Regulatory and legal reporting | Meeting obligations to HMRC, FCA, PRA and other authorities | Legal Obligation | Required by law, cannot be restricted. |
| Marketing (email, SMS, phone, post) | Sending information about products, offers or updates | Consent: Art. 6(1)(a); or Legitimate Interests: Art. 6(1)(f) | You can withdraw consent or object at any time. |
| System security & fraud monitoring | Monitoring logins, unusual activity, automated alerts | Legitimate Interests: Art. 6(1)(f); Legal Obligation: Art. 6(1)(c) | Helps keep accounts secure. |
| Service analytics | Understanding how products are used and improving efficiency | Legitimate Interests | Used to enhance services, not used for profiling marketing. |
| Handling queries & complaints | Responding to member service requests and formal complaints | Legal Obligation Legitimate Interests |
Helps resolve issues and meet FCA rules. |
| Record keeping | Maintaining accurate financial and administrative records | Legal Obligation | Required under financial regulations. |
| Website, app and AI chatbot use | Enable website features, provide assistance, maintain security | Legitimate Interests | Improves service quality and access. |
| Debt collection & arrears management | Contacting you about overdue debts, arranging repayment plans | Contract Legitimate Interests |
Required to manage arrears appropriately. |
Call Monitoring and Recording
Calls may be monitored or recorded to check instructions, resolve queries, improve service, or prevent fraud. Conversations may also be used for staff training.
Special Category Data
In some circumstances, we may need to collect and use special category data. This type of information is more sensitive and receives additional legal protection under the UK GDPR and the Data Protection Act 2018. We do not routinely collect special category data. We only process it when:
• You choose to provide it
• It is strictly necessary for a specific service, legal requirement, or to protect you from financial harm
• We have a lawful condition under Article 9, plus any required UK exemptions under the Data Protection Act 2018.
Whenever we process special category information, we:
• Collect as little as possible
• Apply additional security
• Use it only for the purpose explained to you, and
The categories below explain when and why this type of data may be processed, and the lawful condition that applies. This list does not mean we always collect these data types, only that we may need to in limited, clearly defined situations.
| Type of Special Category Data | Why We May Need to Process It | Legal Condition (Article 9 UK GDPR) | What This Means for You |
| Health information | To understand financial vulnerability, consider reasonable adjustments, support affordability concerns, or ensure we treat you fairly | Explicit Consent, or Substantial Public Interest (safeguarding / vulnerability) | You choose what you tell us. If consent is used, you can withdraw it at any time. We only use this to support you. |
| Racial or ethnic origin | Sometimes required for identity verification (e.g., money laundering checks) | Substantial Public Interest (preventing/detecting crime), or Explicit Consent (for monitoring) | Required for identity checks in some cases. |
| Religious or philosophical beliefs | Only if you choose to tell us and it is relevant to the support you need (e.g., cultural considerations) | Explicit Consent | Entirely optional. Only used for tailored support where you ask us to consider it. |
| Biometric data (used to identify you) | To verify your identity through digital onboarding, liveness tests, or document-matching | Explicit Consent | Used only if you choose to use digital ID verification. A manual alternative is always available. |
| Gender identity / sexual orientation | Only where you share this as part of vulnerability support or related circumstances | Explicit Consent | You choose whether to disclose this. Used only to support you appropriately. |
These are extra situations where the law allows us to use special category or criminal offence data. We only use the minimum amount needed, and only when it is strictly necessary.
| Purpose | Legal Basis | What This Means for You |
| Responding to regulatory requirements (for example, proving that we have treated you fairly or supported you appropriately) | Legal obligation / Substantial Public Interest | We may need to share relevant information with a regulator. Only the information needed to meet the regulatory requirement will be used or shared. |
| Using information for legal claims | Establishing, exercising or defending legal claims | Your information may be used if we need to handle legal disputes, complaints, or protect our legal rights. |
| System testing, training and quality assurance (only when the use of special category or criminal offence data is necessary to keep members safe and ensure our systems treat people fairly) | Substantial Public Interest/Safeguarding / Equality of Access | We use the smallest amount of information possible. It is pseudonymised where possible and is never used for marketing. |
Criminal Offence Data
Under UK GDPR, criminal offence data is not special category data, but it does require strict additional protection under Data Protection Act 2018, Schedule 1. We only process this information when the law allows it, and we keep it secure, restricted and audited.
| Type of Data | Why We Process It | Legal Condition (DPA 2018, Schedule 1) | What This Means for You |
| Criminal offence information (such as fraud markers, sanctions matches, results from fraud prevention agencies, information from law enforcement, or alerts about financial crime) | To prevent fraud, financial crime, money laundering and terrorist financing. To meet our regulatory and safeguarding duties. | Substantial Public Interest and Prevention and Detection of Crime | We must process this information to meet legal duties. Access is restricted, monitored and audited. You cannot ask us to stop this processing, because it is required by law. |
Children’s Data
Any information collected about children is strictly used for providing and managing credit union services and is never used for marketing or shared with third parties unless required by law. We comply fully with relevant data protection legislation to safeguard children’s privacy, and parents or guardians may request details about the data held or ask for corrections at any time.
7. Automated Decision-Making & Profiling
How we use automated systems
We sometimes use automated systems to help us make decisions about you. This can include decisions about creditworthiness, affordability, or identifying potential fraud. These systems may use information from your applications, account activity, Credit Reference Agencies (CRAs), Fraud Prevention Agencies (FPAs), and internal risk models.
Important: We do not necessarily use all these automated processes at the moment, but we may do so in the future. We will always make sure any automated decisions are fair, legal, and secure.
Automated assessment for account opening
When you apply for a loan or savings account, we may use automated systems called to help assess your application.
• The system may provide a recommendation to our colleagues to support decision-making.
• Automated decision making tools are designed to use only the personal information necessary for their purpose and operate under strict access controls. They help make decisions more quickly and consistently and are subject to measures intended to promote fairness.
• Multiple checks may appear on your credit file, but for credit scoring purposes, these usually have the same effect as a single application.
• These checks may use information from credit reports, affordability assessments, or other relevant sources.
• Identity verification or account checks may be required by law, for example, to prevent fraud or comply with anti-money laundering rules.
Automated decisions help with:
• Credit scoring and lending decisions
• Affordability assessments
• Fraud prevention and detection
• Behavioural analysis for responsible lending
Your rights regarding automated decisions
Where an automated decision has a legal or significant effect, you have the right to:
• Request a human review
• Express your point of view
• Challenge the decision
• Receive an explanation of how the decision was reached
Table of common automated decision types
| Type of Automated Decision | How the Decision is Made | Data Used | Impact on You | Your Rights |
| Credit scoring | Risk models assess affordability, likelihood of repayment, and eligibility | Application info, income, credit history, CRA data, account history | Loan or account may be approved, refused, or subject to conditions | Request human review, contest decision, get explanation |
| Fraud / AML checks | Systems flag unusual activity or high risk indicators | Identity data, device info, transaction patterns, FPA checks | Accounts may be delayed, blocked, or require further verification | Request human review, provide additional evidence |
| Transaction monitoring | Real time monitoring of account activity | Transactions, login patterns, device info | Payments may be delayed or blocked for security | Contact us to confirm activity |
| Identity verification | Automated ID checks (documents / biometric) | ID scans, photos, liveness checks | Approval or rejection of verification | Choose manual verification if available |
| Marketing inclusion/exclusion | Automated rules based on consent or legitimate interests | Preferences, product usage, communication history | Determines marketing eligibility | Update preferences at any time |
8. AI Chatbot
We may use an AI powered chatbot to assist with enquiries, provide product information, and guide you through our services.
Current Data Use:
• Currently, the chatbot only sees limited information, such as your IP address and a generalised location. Chat conversations are not stored against your IP and cannot be used to identify you.
• Our chatbot provider has a dedicated Data Protection Officer to ensure all data is handled securely and in line with UK GDPR.
• Visitor data is automatically deleted 30 days after a chat conversation.
• The provider has a dedicated Data Protection Officer to oversee data handling.
Potential Future Use:
In the future, the chatbot may be enhanced to access additional personal information you provide (for example, account or membership data) to deliver a more complete and personalised service. Any expansion of data use will still comply with UK data protection law, and only the information necessary for the chatbot to function will be processed.
Your Rights with the Chatbot
• You can request human assistance instead of interacting with the chatbot.
• You can ask what information is being used for responses.
• You can object to the processing of personal data for chatbot interactions if this is based on legitimate interest.
9. Sharing and Disclosing Your Personal Information
We only share your personal information where it is necessary to provide services, comply with legal obligations, or protect against fraud. All processors acting on our behalf must follow our instructions, comply with this Privacy Notice, and meet appropriate confidentiality and security standards.
We use a range of measures to keep your data safe, including encryption, secure networks, and access controls.
Organisations we may share your information with:
| Category | Examples | Purpose |
| Authorities | Central & local government, HMRC, regulators, UK Financial Services Compensation Scheme, law enforcement, fraud prevention agencies | Compliance with legal obligations, regulatory reporting, fraud prevention |
| Banking & Financial Services | Agents for debt collection, CRAs (TransUnion, Equifax, Experian), other financial services companies, Independent Financial Advisors or solicitors, employers, suppliers, sub-contractors | Account management, credit checks, fraud prevention, fulfilling contracts, providing services |
| Other Services & Schemes | Direct Debit scheme, other lenders on secured loans/mortgages, third parties regarding fines or penalties | Facilitate payments, manage products, comply with legal requests |
| Business Improvement & Marketing | Legal/IT consultants, brokers, technology providers, analytics companies, marketing agencies | Improve services, deliver relevant communications, analyse member trends |
Sharing Anonymous or Aggregated Data
We may share anonymised or aggregated data for research, marketing, or trend analysis. This data cannot identify you.
10. Credit Reference & Fraud Prevention Agencies
We work with external agencies to help us manage accounts, prevent fraud, and meet regulatory requirements. These include Credit Reference Agencies (CRAs) and Fraud Prevention Agencies (FPAs).
We may use one, two, or all three of the main CRAs (Experian, Equifax, TransUnion), and may also use other CRAs as required, depending on the purpose. Information may be shared with these agencies, and they may also provide information about you.
We only share your personal information when it is necessary for a specific purpose, such as credit checks, fraud prevention, regulatory compliance, or providing our services. Any third party processing your data must follow our instructions and comply fully with data protection laws. We may also share anonymised or aggregated data for research, statistics, or service improvements, but this is not personal data.
Some of the data we receive from CRAs and FPAs may be used to support automated or semi automated decisions, for example assessing credit applications or detecting potential fraud. You have the right to request a human review, contest a decision, or receive an explanation if such a decision has a legal or significant impact on you.
Credit Reference Agencies (CRAs)
CRAs may record multiple searches, link your record with spouses, partners, or co applicants, and retain settled or defaulted account details. For more information, see the CRA Information Notices (links above).
| Organisation | Data Shared | Purpose | Legal Basis | Impact on You | CRAIN Links |
| Main CRAs (Experian, Equifax, TransUnion) and other CRAs | Name, DOB, address, credit application, shared credit, public info, fraud prevention data | Credit checks, account management, fraud detection | Legitimate interest / legal obligation | Up to 5 searches may appear, linked records for spouses/partners, settled and defaulted accounts reported | Experian Equifax TransUnion |
CRAs may record multiple searches, link your record with spouses, partners, or co applicants, and retain settled or defaulted account details. For more information, see the CRA Information Notices (links above).
Fraud Prevention Agencies (FRAs)
We use your personal information to help detect and prevent fraud, financial crime, and money laundering. This includes:
• Checking account activity for unusual or potentially fraudulent behaviour.
• Temporarily blocking accounts or restricting access if a risk is identified.
• Sharing information with FPAs and law enforcement when required by law.
• Keeping records of potential risks for up to six years.
| Organisation | Data Shared | Purpose | Legal Basis | Impact on You |
| Registered FPAs | Name, DOB, address, contact details, financial data, IP, fraud history | Confirm identities, prevent fraud and money laundering, fulfil contracts | Legal obligation / legitimate interest | Accounts may be blocked, risk records retained up to 6 years, may affect access to other services |
| Other agencies or bodies acting for fraud prevention | Name, DOB, address, contact, financial data, IP, fraud history | Support fraud prevention and law enforcement | Legal obligation / legitimate interest | May result in sharing with law enforcement, risk records retained |
| Industry databases | Limited personal data relevant to fraud prevention | Detect fraud trends and money laundering risks | Legal obligation / legitimate interest | May influence account eligibility or service provision |
Important: Both we and FPAs can only use your personal information if there is a valid reason, either to comply with the law or under a legitimate interest. Data may also be shared with law enforcement agencies to detect, investigate, prevent, and prosecute crime. Automated decision making may be applied to detect suspicious activity.
CRA and FPA records may be retained for up to six years, depending on the type of data and applicable regulations. This includes records of credit agreements, settled or defaulted accounts, and fraud prevention data.
CRA and FPA records can affect your ability to access credit or other services in the future. Your records may be linked with a spouse, partner, or co-applicant. You have the right to request that such links are removed, provided you can show that you no longer share financial responsibilities.
11. Your Rights
You have several rights regarding the personal information we hold about you. If you wish to exercise any of these rights, we may ask you to verify your identity to protect your data.
Your key rights:
| Right | Explanation |
| Right to be informed | You have the right to know how we collect and use your personal information. This Privacy Notice provides this information. |
| Right of access | You can request a copy of the personal information we hold about you (Subject Access Request). |
| Right to rectification | You can ask us to correct any information you think is inaccurate. |
| Right to erasure | You can ask for your data to be deleted where we have no legal or regulatory reason to keep it. |
| Right to restrict processing | You can ask us to limit how we use your data in certain situations (e.g., if inaccurate or unlawfully processed). |
| Right to data portability | You can request your data in a reusable electronic format or ask us to send it to another organisation. |
| Right to object | You can object to how we use your personal data, including for marketing. |
| Rights related to automated decisions and profiling | You can ask for human intervention if we make a decision about you solely using automated processing. |
| Right to withdraw consent | You can withdraw consent at any time, this may affect your ability to use some services. |
12. Audits and Regulatory Requirements
We may share your information with auditors and regulators to comply with legal and regulatory obligations.
• External Audits: Required by law to ensure compliance and assess processes.
• Internal Audits: Conducted by the Credit Union or appointed auditors.
• Regulators: The Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) and other authorities may request information, which we must provide.
13. Safeguarding and Security Measures
We take your privacy seriously and use multiple layers of security to protect your information, including:
• SSL/TLS encryption
• Access restrictions and IT authentication
• Firewalls and anti-malware protection
Sensitive data relating to you is not subject to any additional encryption methods. It is safeguarded using the same security measures applied to all other data, as outlined above.
All colleagues and third party providers are required to follow strict security and compliance measures.
14. Transfers Outside the UK and EEA
We may transfer your personal information outside the UK and European Economic Area (EEA) only to:
• Follow your instructions (e.g., issuing a statement)
• Comply with legal duties (e.g., tax reporting)
• Work with suppliers who help run our services
When we transfer data outside the UK/EEA, we ensure it is protected to the same standards as in the UK/EEA by using:
• Data sharing agreements/contracts
• Transfers only to countries with equivalent privacy protections to the UK
15. Marketing, Cookies, and Email Tracking
Marketing
We may use your personal data to suggest products or services that may interest you, based either on your consent or our legitimate interests, provided these do not override your rights. Marketing communications will only be sent with your consent or where we have a valid business reason. You can opt out of marketing at any time and we may ask you to update preferences if you take a new product or service. If you consent, we may send marketing material via email, post, or text. You can withdraw your consent at any time. Some marketing may rely on cookies, which require your acceptance. Regardless of your preferences, we will continue to send essential updates about your existing products and services.
We use information you provide, data from your use of our services, and external sources (such as credit reference agencies) to determine relevant offers, a process known as profiling. You may ask us to stop using your data for these purposes at any time.
We do not sell the personal information we have about you to outside organisations.
Cookies and Tracking
We use cookies and similar tracking technologies on our website and emails to improve user experience. Cookies may store information about your preferences, but not your personal identification unless you’ve consented. Cookies are small computer files that get sent down to your PC, tablet, or mobile phone by websites when you visit them. They stay on your device and get sent back to the website they came from when you go there again. All data is protected by this Privacy Notice. To find out more about how we use cookies please see our cookie privacy notice by clicking here.
Email Tracking
We track emails to help us improve the communications we send. We use small images called pixels within our emails to tell us things like whether you opened the email and how many times. We may also set a cookie to find out if you clicked on any links in the email.
16. Consequences of Not Providing Data
Providing personal information is necessary for us to deliver services and comply with legal obligations. If you do not provide the required information:
• It could delay or prevent us from meeting our legal or contractual duties.
• We may be unable to offer a product or service you request.
• We may need to cancel a product or service you hold with us.
Whenever information we ask for is optional, we will make this clear when we collect it.
17. How Long We Keep Your Data
We keep your personal information only for as long as we need it. This depends on our legal obligations, our business needs, and your relationship with us.
While You Are a Member
We keep your personal information for the duration of your membership so we can manage your accounts, provide services, and meet our legal and regulatory duties.
After Your Membership Ends
Most of your personal information is securely deleted six years after you leave the Credit Union. However, we may keep some information for up to 10 years for reasons such as:
• Responding to questions, complaints, or legal claims
• Proving we met our obligations and provided fair outcomes
• Meeting legal or regulatory record-keeping requirements (for example, Money Laundering Regulations require us to keep some records for between 5 and 10 years)
• Internal analysis or research that does not identify you individually
When We Need to Keep Information for Longer
In some cases, we may need to keep certain information beyond 10 years if we cannot legally delete it. For example, we must keep specific details on our member register (name, address, date of birth, email address, dates of joining and leaving, and some account information) under Section 30 of the Co-operative and Community Benefit Societies Act.
Defaulted Accounts
If an account is not fully repaid, we keep information about the default indefinitely. This is because you continue to be classed as a member, and we may need this information to make responsible decisions about any future accounts or applications.
18. How to Make a Complaint
We want you to be happy with how we use and protect your personal information. If you are ever unhappy or concerned, please tell us so we can put things right.
How to contact us
You can make a complaint about how we have handled your personal information by:
Email: info@no1copperpot.com
Phone: 0161 741 3160
Post: No1 CopperPot Credit Union Slater House, Oakfield Road Cheadle Royal Business Park Cheadle, Cheshire SK8 3GX
We will investigate your complaint and respond as soon as possible.
If you are still not satisfied You also have the right to complain to the Information Commissioner’s Office (ICO), who oversees data protection in the UK. They can be contacted:
• Online: via the ICO website https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113
The ICO will usually ask that you try to resolve your complaint with us first.
No1 CopperPot Credit Union, Privacy Notice, Version 10, updated 10th January 2026.
Cheadle Royal Business Park,
Cheshire, SK8 3GX
