Privacy notice
How we handle your personal data.
Last updated 8 May 2026. v0.1 draft — pending DPO sign-off.
Who we are
MyCUmortgage Ltd is the data controller for personal data collected through this website. Co. No. 17047298. Registered office: Sheffield, England. Contact: hello@mycumortgage.co.uk.
What data we collect
- Public site visitors: anonymised, aggregated analytics via Plausible (no cookies, no tracking, no PII).
- Contact / interest forms: name, email, organisation, phone (optional), message content.
- Brochure download: name, role, credit-union name, work email, FPO Art. 43 / 48 / 50A audience certification, IP, UA, timestamp. Retained 5 years (COBS 4.11.1R).
- Member portal users: account credentials, identity documents, address, DOB, NI number, employment, income/expenditure, mortgage details, EPC, application data, document uploads, message content. Retained 5 years post-relationship (MLR 2017 reg.40).
- Audit log: every authenticated read and write, with actor, target, IP hash. Retained 6 years.
Lawful basis (UK GDPR Art. 6)
- Account credentials and intake form: contract (Art. 6(1)(b)).
- KYC / ID / NI number: legal obligation (Art. 6(1)(c) — MLR 2017).
- Marketing communications: consent (Art. 6(1)(a) + PECR reg.22).
- Audit logs: legal obligation + legitimate interest (Art. 6(1)(c) + (f)).
- Vulnerability flag (where disclosed): explicit consent (Art. 9(2)(a)).
Sub-processors
- Supabase (database, auth, storage) — eu-west-2 (London), UK.
- Vercel (hosting) — primary region lhr1 (London), UK; metadata may transit US.
- Resend (transactional email) — US-based; UK-EU IDTA + SCCs.
- Plausible (analytics) — EU-hosted, cookieless.
- Make.com (workflow webhooks) — EU zone.
Your rights
Under UK GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. The DSR centre in your member portal provides self-service for access and portability; other rights are processed manually within 1 calendar month. Contact hello@mycumortgage.co.uk to exercise any right.
ICO complaints
You have the right to complain to the Information Commissioner's Office at ico.org.uk if you are not satisfied with how we handle your data.