• Clydesdale Bank PLC
• CYB Intermediaries Limited
• CGF No 9 Limited
• Clydesdale Bank Asset Finance Limited
• Clydesdale Covered Bonds No 2 LLP
• Virgin Money UK PLC
• CYB Investments Limited
• Virgin Money plc
• Virgin Money Unit Trust Managers Ltd
• Virgin Money Personal Financial Service Ltd
• Virgin Money Holdings (UK) plc
• Yorkshire Bank Home Loans Limited

By ‘info’, we mean all the personal and financial details we collect, use, share and store. The info we keep will change depending on the account and relationship you have with us. It can include but isn’t limited to:

• Info about your identity and contact details (like your name, date of birth, home address, phone number, email address, current and previous countries of residence/citizenship, a copy of identification documents like passport or driving licence, for example – and info we need to check your identity).
• Unique identifiers and reference numbers that we or others have allocated to you (like Companies House references, account numbers, online usernames, and your National Insurance number).
• Your financial and payment info, including details of your income and how you spend it (if relevant), business accounting info, credit history info, bank details and transactions with us and others.
• Info about you from resources, organisations, and regulatory bodies (like Financial Conduct Authority, Business Banking Resolution Service or Companies House).
• Info about people you’re financially linked to (like your husband/wife/partner or financial associates) or who have an interest in or association with any of your accounts. (For example, an additional cardholder or where you’ve opened an account for a child).
• How you access and use our website or other digital services (like your IP address, location and the device and software being used).
• The profile info we create by analysing you, your business, and your behaviour. This could be through the way you use your account and from other sources – including info we get using artificial intelligence to look at combined data sets.
• Your permission to share info from third parties.
• Info that the law sees as being in a special category because it’s sensitive to you. We can only collect and use this info if you’ve given us permission, or it’s allowed by law. This sort of info includes:
  -Race or ethnicity.
  -Religious or philosophical beliefs.
  -Trade union membership.
  -Genetic and bio-metric data.
  -Health information and data (needed for some insurance products and to protect vulnerable customers).
  -Criminal convictions and offences (needed for lending decisions, fraud prevention, anti-money laundering and to meet our legal duties).

In section 6, there’s more on how we use this info.

Sometimes, we ask for your info as we need it to provide the product or service you’ve asked for or to do something the law requires us to do (like check you are who you say you are). Without that info we’ll not be able to provide some products or services requested.

For Credit Card Accounts, Loan Products and Mortgage Products, we need info on your finances. This includes:

1. Your income, how much you spend, accounts info, assets and liabilities, credit history and credit scoring, employment info, any criminal prosecutions and details of bankruptcy or County Court Judgements.

To provide Financial Management Services and products that include Travel Insurance, we may need to use any health info, which we will ask for.

The law requires that we must check the identity of new customers and for business customers the verification of key individuals of such customers. The law also requires us to re-check the identity of existing customers from time to time. This is so we know who our customers are and to make it more difficult for criminals to use false or impersonated identities, for criminal purposes like hiding the proceeds of crime or committing fraud. To check your identity, we’ll check the contact details and financial info you give us with credit reference agencies and against publicly available info. We’ll also check you’re eligible for the product or service we’re offering.

We’ll use your info to manage any account, product, service or relationship you have with us. This’ll be done in line with the terms of that arrangement and the rules of our regulators. Examples of this are:

• Management of your account including:
  - linking other accounts or linking your Virgin Red account where you've asked us to.
  - keeping info about your transactions and sending your account statements.
  - telling you about your account and your relationship with us, including letting you know any changes to interest rates, limits or charges.
• Sharing your name and some account details with a person or organisation before a payment can be made to your account.
• Linking other accounts or linking your Virgin Red account where you've asked us to.
• Helping to fix mistakes and sort out any problems or complaints you may have.
• Manage any offers or promotions you take part in.
• Closing your account.

To do this, we’ll use your contact details, the payment details you’ve given us and your location data to enable us to check locations where payments are made (this is to prevent fraud). If you’ve agreed to it, we’ll also use mobile location services and your IP address to identify you for security and to stop fraud.

We may also share this info with third parties who help us confirm your contact details and deliver our products and services – this could be our payment providers, subcontractors, service providers for ATMs and cash management and other banks and regulators.

We might use info to manage any business internet banking money management services provided to business banking customers. Our money management services use machine learning to give you forecasts and predictions:

• This provides a simple forecast of revenue for the next three months using the info you’ve given us and other info across the platform (including previous info). For example, daily and monthly revenues, industry type, size and location.
• The forecasting tool gives a prediction of future cashflow using all the transactions, invoices and other financial info that cause your bank balance to change. It then looks back to find different patterns and trends that it can use to forecast your cashflow. It works directly from your cash movements rather than your profit and loss or balance sheet. This means it can consider individual customers and suppliers to make accurate forecasts right down to daily cash movements.

We have a legitimate interest in only lending money to customers we think can pay it back. Our regulators also require us to lend money in a responsible way.

So, whenever you apply for credit (for example, a mortgage, credit card or overdraft) or any extra borrowing on a product you’ve taken out, we’ll use the info you give us and what we already know to work out the risk to us.

We’ll also get info from credit reference agencies to do credit scoring and/or other risk assessments of your application.

Credit scoring is an automated way of making fair and responsible decisions about lending money and managing your accounts. We use it to assess how you are likely to run your account and by using info from a range of sources it allows us to decide on whether we’re going to offer you a product or service or make any changes to any ones you have.

To calculate a credit score we use:

• Info you provide about your credit history.
• Info about anyone you’re financially linked to (like your partner).
• Info we get from credit reference agencies (including, but not limited to, those shown in Appendix 1).
• Details about how you’ve used other products and services you have with us or the Group (for example, how you’re making repayments on other credit products).
• Info we received about you from other third parties, including when you let us access accounts you have with other banks, as an account service provider.

We’ll confirm where we’ve used credit assessment. If there’s been a change to your credit limit or interest rate based on our credit assessment process, you can ask one of our team to assess it again. For more info see the section ‘When we make automated decisions’ below.

See section 7 "Who we share info with",for more about sharing info with credit reference and fraud prevention agencies.

By law, we must review applications and monitor accounts. This helps us tackle threats from terrorists, money-laundering and other financial crimes. We also have a legitimate interest in avoiding losses caused by financial crime like fraud. We may share info with law enforcement agencies and other official bodies or government departments to comply with our legal obligations (like tax and immigration authorities).

We may also check and share info we’ve got about you – like your contact details and financial info – with fraud prevention agencies, credit reference agencies, law enforcement, other government agencies, different banks and regulators. This is to help stop financial crime and terrorism funding. To do that, we’ll use any info you’ve provided, as well as info we’ve got from a third party. We’ll also see how you use our services for more info.

This includes your name, address, date of birth, every country of residence/citizenship, personal identification (which may include passport or driving license number), your IP address and details of any criminal convictions. This might also include info about your location, which helps prevent crime and fraud.

We use your info in this way because it is necessary to perform our contract with you. It is also in our legitimate interest to recover any debts that are owed to us if there isn’t a plan in place to pay it back.

We’ll use your contact details and info we’ve got from seeing how you’ve used our services (including info about your location that we may find from reviewing your accounts). We’ll also use info available within the Group about how you’ve used services from other Group members.

To get a debt paid back, we’ll share info with and receive info from third parties where we have to. This might even include legal proceedings. Examples of third parties include other banks, debt recovery agents, solicitors, credit reference agencies and sheriff officer or bailiff services.

This might also include sharing info about you with a third party who we’ve moved your debt to e.g., securitisation. We’ll tell you who they are and they’ll contact you directly to collect that debt.

We have a legitimate interest in improving how we offer our services and the security of the computer systems we use. We also have to respond to any law changes or rules that affect how we protect the info, that we hold.

We may use your info to help us develop and test our systems, including new technologies and services. This is to make sure they’re safe and secure and will work the way we want them to. When we do this, we’ll use processes and technologies that are designed to keep this info secure.

We may also ask you for your consent to invite you to take part in customer research to help us improve our products and services.

The range of products and services we offer, including those from companies outside the Virgin Money UK PLC Group, changes all the time.

We have a legitimate interest in telling you about products, services and any new developments we think may interest you, where we’re allowed to. For some of our marketing, including letting you know about the products and services of other companies, we’ll ask for your permission first.

We don’t want to send on too much info or anything that’s not right for you, so we’ll use the info we already have, particularly profile info, to decide what we talk to you about. This includes telling business customers who meet certain scores that they may be able to apply for Sustainability Linked Loans.

You have the right to tell us at any time if you don’t want us to use your info in this way.

We’ll only get in touch in the ways you’ve said we can. For example, a phone call, text message or post. If you’ve said you don’t want to see any marketing, you won’t. You can opt in or out at any time to marketing by contacting us in the usual way see "Getting in touch" for our contact details).

• The info you’ve given us.
• Details about how you’ve used other products and services you have with us or the Group.
• Any feedback you’ve given us.
• Info we’ve got from credit reference agencies (including, but not limited to, those set out in "Appendix 1").
• Info from other companies we’re partnering with (including, but not limited to, those shown in "Appendix 3").

We might get info about you from a third party to help us market our products and services to you. But we’ll only do this if you’ve given them permission to share your info with us.

We might also ask you for permission to show marketing from Virgin Red as part of your Virgin Money app, both inside the app and in push notifications.

We may also get your name and address from other companies to help us offer services that are right for you. Our manual or automated processes analyse this info to decide what products and services to offer to you and to prioritise the marketing messages you receive.

We do this by:

• Working out which products and services you can have.
• Seeing if they’ll be useful to you.
• Deciding how likely you are to reply.

We may also get info telling us if you’ve opened or clicked on an email, the type of device you’re using and your general location when you opened the email.

Our service providers will help us with these marketing activities. The partners we give your info to might use it for marketing profiling.

Sometimes we work with other companies to offer you the best products and services. We’ll sometimes share your information with our partners, and get info about you too, to make sure that we give you the best, most relevant offers when we market to you (if you have given permission).

See Appendix 3 for a list of our partners and Appendix 4 for the types of suppliers we use.

We have a legitimate interest in running our business as well as possible while also sticking to our legal and regulatory responsibilities to the UK financial system.

Therefore, we may use your financial info, including how you’ve used our products and services, for the following reasons:

• To see how well our marketing is working.
• To train our team.
• To spot trends or behaviours.
• To check performance indicators.
• To work out the profitability (or other indicators) of a product, service, sector or part of it when compared to others to help us with our future strategy.
• To report to and communicate with regulators, auditors and government agencies.
• To help the preparation and confidential sharing of info that supports our funding and other activities. For example, the sale or transfer of our interests in some of our mortgage or credit card accounts or where we may want to reorganise some or all our businesses through a merger, transfer or sale.
• Clydesdale Bank plc and Nationwide Building Society will jointly control and process your personal info necessary for the purposes of managing and planning the integration of the two banking organisations.

We may pass your info to market research companies and others who help us with these activities.

Sometimes, we’ll use artificial intelligence to help us understand trends, behaviours and predict general patterns. For example, to see how well our marketing is doing.

We may also use your info for other things you’ve agreed to, as well as some situations where the law asks or requires us to.

We have an interest as well as a legal duty to support vulnerable customers. That’s why we’ll use any info you give us, and what we can see from your transactions, that might show a vulnerability. For example, a health condition or money worries.

We’ll also use info we get about vulnerable customers from other members of our Group if we need to protect their interests. Plus, we’ll give info to third parties about vulnerability to meet our legal duties. This might be to the police, social services or someone acting on your behalf.

We’ll give info to and get info from third party independent financial advisers and mortgage brokers who’ve introduced you to us.

This is so we can provide products and services to you and manage our relationships with those third parties, including paying any fees.

To do this, we’ll use info about the general nature of the products and services, as well as info about the value of those products and services.

To provide you with mortgage products and some insurance products, as well as the info already listed above, we’ll need to use extra info about your needs and situation. This is to make sure the products and services are right for you.

For mortgages, this’ll include info about your income and spending, assets and liabilities and your planned retirement age.

We’ll also collect information about your energy usage from Experian plc to help us understand our customers’ property energy usage and efficiency. This helps us to explore ways to support in improving energy efficiency.

For life and critical illness, this’ll include your date of birth, if you smoke or not and details of current policies. Plus, info about how you’ve used other products and services offered by us or other Group members. This will include previous claims under any current policies you have with us, as well as with other providers.

We might share all the info we use with third parties who help us to give the best advice possible. These third parties include credit checking and fraud prevention agencies and our insurance provider partners.

See Appendix 1 for a list of the credit reference and fraud prevention companies we use and Appendix 2 for a list of our insurance provider partners.

We use your info like this because it’s in both of our interests for you to get advice about the right products and services. It’s also so we stick to the rules of our regulators.

When we make automated decisions

We sometimes use computers to make decisions. We do this when:

• Assessing your eligibility for products and services. We’ll analyse and combine the info collected to create a profile of you to understand the way you use your account (or how we think you might use your account) and our services as well as what you might like and what you might do. We use this to decide whether to offer you certain products and services.
• Evaluating your use of bank products and services. For example:
  - The types and volumes of transactions you make
  - How often you use our digital services.
  - Which products or services you appear to prefer;
  This helps us to create profiles of you which we will use to manage our relationship, including how we communicate with you.
  
• Deciding whether to lend money. We use credit scoring to help us make fair, responsible, and consistent decisions about lending money and managing your account(s). We use credit scoring to decide:
  - whether we provide a product or service to you;
  - whether to adjust products or services you have (like increasing or decreasing credit limits or interest rates);
  - to pre-approve future products or services for you;
  - to authorise overdraft limits;
  - to authorise payments from you; and
  - in some cases where we need to recover a debt from you.
• Creating a profile of you for marketing purposes (but only where you’re happy to be contacted with marketing). This helps us make sure you get the most relevant info about the products and services that will be the most beneficial to you, at the right time. It also helps us decide how likely you are to respond. To do this, we use:
  - info you give to us;
  - info about the types or retailers where you spend your money;
  - details about how you have used other products and services you have with us or the Group;
  - any feedback you have given us;
  - publicly available data from a reputable institution that may give us an insight into economic circumstances that impact you or the area you live in. Example sources included but are not limited to: The Bank of England, The Office of National Statistics and academic institutions or research papers.
  - info we have obtained from credit reference agencies (including, but not limited to, those set out in Appendix 1 ; and
  - info from other companies we are partnering with (including, but not limited to, those set out in Appendix 3.
  
• To assess payments to your account to identify any that look unusual and that are potentially fraudulent. We take into account various elements of the payment like billing address, IP location, issuer country, and velocity checks on how many times the card has been used globally and assign a score to each payment and where the score is above a certain threshold the payment will not be processed.
• When carrying out risk assessments related to money laundering and terrorist financing, required by law, we take into account customer type, countries where you operate, products held, transactions made and delivery channels

When we make automated decisions, we look at look at how you’re likely to run your account, using info from a range of sources (See section 4 "Where we get the info from". Where we make automated decisions you can always ask for a member of the team to review the outcome.

• If you apply for a health-related insurance product, we’ll need your info to provide you with services that are right for you.
• If we identify that you have a health-related vulnerability, we’ll share that in our organisation to the extent needed to protect your interests and offer you services that are suitable for you.
• If we need to provide you with urgent medical help when you’re on our premises.
• To make sure you’re treated fairly if you come into financial difficulties because of a vulnerability.
• If you have given us your explicit consent to take part in our customer research and have provided us this information.

Some of our accounts use facial and other biometric recognition technology to help customers prove their identity when opening accounts. We’ll ask for your permission when setting this up.

By observing how you interact when using your device for example, the use of your keyboard, mouse and/or the way in which you hold your device, this is called “behavioural biometrics”. We also use behavioural biometrics to confirm your identity when you shop online with your debit or credit card. Behavioural biometrics is the use of machine learning to analyse patterns. This helps us stop fraud by making sure the person using the card is who they say they are.

We may ask you about your racial and ethnic background as we need to make sure everything is fair and equal when it comes to the service we offer.

We may also ask you about this if you have given us your explicit consent to take part in our customer research and have provided us with this info.

We may use info about criminal proceedings relating to you when deciding to lend money to you, to help us prevent and detect financial crime and to fulfil our legal/regulatory obligations.

Sometimes the transactions in your bank accounts will reveal special categories info (like your political opinions, health status, religious beliefs and trade union membership), depending on payments you make and receive. This info may be processed by us to provide account payment services to you and will not be used for any other purpose.

To assess an application for a product or service we’ll perform identity checks on you with one or more credit reference agencies (CRAs). Where you apply for credit, we’ll also perform credit checks on you with the CRAs. We may also make periodic checks with CRAs to manage your account with us.

To do this we’ll pass your information to CRAs and they’ll give us information about you. The information we’ll supply includes information from your application and your financial situation and history. CRAs will also supply us with public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We’ll continue to exchange info about you with CRAs while you have a relationship with us. We’ll also let them know about any accounts you’ve since paid off. If you don’t pay back your credit in full and on time, CRAs will record the debt. They may also let other organisations know.

When CRAs do a credit search they’ll place a footprint on your credit file that may be seen by other lenders and may affect your ability to borrow from them. If you’re making a joint application, or you tell us that you have a spouse or financial associate, we’ll link your records together, so you should make sure that they know what you’re doing and share this info with them before applying. For joint applications with a spouse or financial associate, CRAs will also link your records together. If you want to break this link, you’ll need to talk directly to the CRAs.

The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share info, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA Information Notice (CRAIN).

You can find out more about CRAs here:

• transunion.co.uk/crain
• equifax.co.uk/crain
• experian.co.uk/crain

We may also use TransUnion’s services for other reasons not mentioned in the CRA Information Notice (CRAIN). This is to help us with identification, verification and fraud prevention as well as other purposes.

You can learn how your data is used at https://www.transunion.co.uk/legal/privacy-centre/pc-bureau.

The CRAs also work as fraud prevention agencies (FPAs). Just so you know, we’re also a member of CIFAS and National Hunter, which are both FPAs.

Before offering you a product or service, we may run some checks with the FPAs to help prevent and detect fraud and money laundering.

We’ll do this by giving FPAs your info, who’ll then give us info about you. This includes details in your application or info from third parties.

If we or an FPA believe you’re a fraud or money laundering risk, we may not offer you a new product or service. We might also stop the product or service you’re already using and share any info we get from a FPA with the CRAs.

A record of any fraud or money laundering risks will be kept by the FPAs. This may mean other companies won’t offer you services, finance or employment.

We and FPAs may also let law enforcement agencies use your info to detect, investigate and stop crime. For more details, please ask a member of staff or visit:

• cifas.org.uk/fpn
• nhunter.co.uk/privacypolicy

The United Kingdom left the European Union on 31 January 2020. So, we’ll need to transfer your personal info to the UK and other areas outside of the EEA, so you can continue to use our products and services.

Moving your personal data from the EU to the UK will take place based on an adequacy decision by the European Commission in favour of the UK, or on the basis of protections which comply with EU GDPR. We’ll also need to continue to act in line with EU GDPR when we process your personal data.

We’ll continue to keep your data secure, but if you’ve got any questions about how we use your info or your data rights and our obligations as a Data Controller, you can speak to our EU representative. If you want to write, the address is The Data Warehouse at Keizersgracht 482, 1017EG, Amsterdam, Netherlands. You can also email them at helpdesk@tdwico.com

If you’d like more info, you can contact our Data Protection Officer (see section 13 "Getting in touch.

How long we keep your info for depends on what products and services you have with us. Just so you know, we won’t keep it any longer than we need to (see section 5 "Why we need the info and what we use it for" and section 6 "Why we need special categories info and what we use it for)").

This means we’ll continue to hold some info for a while after your account has closed or our relationship has ended. For example, where we need to for the regulator, for active or potential legal proceedings, to resolve or defend claims or for making remediation payments.

If you’d like more info, you can contact our Data Protection Officer (see section 13 "Getting in touch.

We have told you about the ways in which we use the information we hold.

You can object to how we use your info. When this happens, we have up to one month to get back to you.

Remember, you can stop getting marketing communications at any time. Just get in touch in the usual way to let us know.

You always have the right to ask whether we hold info about you. If we do, you have the right to know:

• What the info is.
• Why we’ve got it.
• The ways it’s used.
• Who we share it with.
• How long we keep it for.
• Whether it’s been used for any automated decision making.

You’re also allowed a free copy of the info. We can give it to you in person, online, over the phone, by email or by post.

We always want the info we have for you to be absolutely spot on (up to date and accurate). If any of it is wrong or out of date, let us know and we’ll fix it.

You can ask us to delete your info if you think we don’t need it anymore. This might be because:

• It’s not needed for the reason we collected it (see section 5 "Why we need the info and what we use it for" and section 6 "Why we need special categories info and what we use it for)").
• We held and used the info because we had your permission, which you’ve now taken back.
• You’ve already objected to the way we’re using your info.
• We’ve been using the info unlawfully.
• There’s a legal requirement for us to delete the info.

When you ask for info to be deleted, we have up to one month to get back to you. If we don’t go ahead and do it, we’ll tell you why.

You have the right to get some of the info you gave us in a machine-readable format.

In certain situations, you can block or limit the use of info by us. This may happen where:

• You’ve challenged the accuracy of the info is and we’re checking it.
• You’ve objected to how we use your info and we’re considering whether you’re right.
• We’ve been using your info unlawfully but you want us to continue to hold the info rather than delete it (see “Deleting info” above).
• We no longer need to keep the info but you’ve asked us to keep it because of legal claims you’re involved in.

If you’re unhappy with how we’re using your info, please visit us in Store or at uk.virginmoney.com/contact.

If we can’t fix the issue, you can complain to the Info Commissioners Office (ICO). The ICO is the UK’s independent body set up to uphold your rights. You can find out more at www.ico.org.uk.

You can exercise any of your data protection rights by contacting us – (see section 13 "Getting in touch.