Privacy Notice

About AALTO Mortgages

AALTO Mortgages Ltd has appointed a Data Protection Officer to ensure the safety of your data and compliance with the General Data Protection Regulations. Their contact details are as follows:

The Data Protection Officer
AALTO Mortgages Ltd
20-22 Wenlock Road
N1 7GU
Telephone: 0207 183 1101

AALTO Mortgages Ltd is registered with the Information Commissioner. Registration number ZA235459

The personal data we collect about you

  • Identity Data – This includes names, maiden names, dates of birth, National Insurance numbers, gender, marital status, details of companies you own.
  • Contact data – Home address, email addresses, telephone numbers and addresses of other property you own.
  • Financial Data – Information relating to your financial circumstances, including income, outgoings, credit, and mortgage information.
  • Transaction data – Details of payments of broker fee’s you have made.
  • Technical data – Analytical data including IP addresses, browser information, location operating system and device details.
  • Marketing data – Your preference in receiving marketing emails.

How do we collect your personal data?

Data is collected by us in the following manner and for the following purposes:

  • Direct interaction – By telephone and email, in order to determine your suitability for certain mortgage and insurance products, and to verify your identity.
  • Online – By completing our online fact find, for the purpose of applying for mortgage and insurance products on your behalf.

How do we use your personal data?

We apply the following lawful basis for processing your information:

  • Identity data in order to confirm your identity. We compare this information with a number of credit reference agencies and government databases to ensure compliance with Money Laundering regulations, Know Your Customer requirements from the Financial Services Authority (FCA) and to ensure you are not being impersonated.
  • Contact data in order to respond to your inquiry and provide advice. We also seek your consent to send you relevant information such as newsletters and blog posts. We absolutely never pass this information to 3rd parties for the purposes of marketing. We also retain this information and seek your consent to contact you in the future to review the products you have put in place.
  • Financial data for the purposes of applying for mortgage and insurance products. We may share this information with a number of third parties:
  • Mortgage lenders for the purpose of getting mortgage finance approved.
  • Insurance providers for the purpose of getting insurance products approved.
  • Estate agents may request information about your ability to gain a mortgage and we would share name, lender and loan amount details with your consent.
  • IProcess ltd to handle the decision in principle and application processes.
  • Solicitors we recommend to you will be passed identity data in order for them to create a file. They will request additional information from you and you should consult their privacy policy directly.
  • Transactional Data is retained for the purposes of reporting revenue to the HMRC and the FCA.
  • Technical Data is retained within the Google Analytics platform in order to monitor website visitors. Whilst this is personal information, it’s not matched to identity or contact data.
  • Marketing data is retained within the MailChimp marketing platform for the purpose of sending newsletters and blog posts. MailChimp is based in the US and so your name, surname and email address is the only information that is passed outside the EEA. Mailchimp certifies to the Privacy Shield framework which ensures the same level of protection afforded EU citizens.

Marketing Communications

We would like to send you monthly newsletters which include out recent blog posts and we will have recorded your consent to this. At any time you can withdraw this consent by contacting us, or by clicking the “unsubscribe” link on the emails. We only have one active list and so doing so will ensure you receive no further marketing emails from us.
We may still contact you to review products you have taken with us and this consent is requested on our terms and conditions. To withdraw this consent please email

Data Security

We protect your data in a number of ways:

  • Data is stored primarily using Dropbox. This gives us an offsite backup to ensure we can continue to process your requests even if we lose data locally. Data is stored on EU based servers and so never leaves the EEA. Data between our computers and the Dropbox servers are encrypted. Our computers and mobile telephones are encrypted and protected by fingerprint recognition so if they are lost or stolen, your data cannot be accessed.
  • We use Amazon Glacier service for long-term offsite back up of client data, again this is fully encrypted from office to Amazon servers, and only London based servers are used.
  • Our company emails are encrypted so communication between staff cannot be intercepted, and data provided to us via our website is encrypted to prevent interception.
  • Emails between clients and ourselves are often unencrypted and so we cannot guarantee the safety of information communicated in that manner.

How long is your data retained?

  • Where we have successfully put in place a mortgage or insurance product we will retain your contact, identity and financial data for at least 7 years from the date of the application, or until the product expires, whichever is longer.
  • Where we have discussed a mortgage product and made a recommendation, but it has not resulted in a completed mortgage or insurance product we will retain this data for a period of 2 years.

Your data rights.

You have the following rights in regards your data:

  • Right to request access: You can at any time request a copy of the data we hold on you to ensure that we are processing it lawfully
  • Right to request correction: If you feel we hold incorrect data you have a right to request we amend this to reflect the true circumstances.
  • Right to erasure. If there is no good legal reason for us to hold your data you have a right to request we delete this. It may not always be possible to do so, as we are often legally obligated to hold evidence of how we have processed your application if this is the case the specific reasons will be communicated to you. Data that is not part of this legal requirement will be deleted, however.
  • Right to request transfer of your data: You can request we provide your data to another data controller in a commonly used machine-readable format. This applies to information provided to us via our online fact find system, and not to any documents we personally created whilst administering your accounts, such as quotes, application forms, and notes.
  • Right to withdraw consent at any time: You have the right to withdraw your consent at any time to our processing your personal data.

How can I make a complaint about the way my data is processed?

Information Commissioner’s Office
Wycliffe House
Water Lane