Privacy Policy

ACI_UK Ltd “ACI” (company registration number 03775287) is a specialist debt resolution company who help customers manage their outstanding debts. ACI is authorised by the Financial Conduct Authority under registration number 708400 and registered with the Information Commissioners Office (“ICO”) with the ICO registration number ZA116228.

We are the data controller of all personal data received as part of any portfolio purchase made by ACI; or

We are joint data controller when acting as the FCA regulated master servicer on behalf of Perch capital or another company, and / or if servicing accounts on behalf of another company but also have contractual rights to separately retain and process the data for our own purposes; or

We are data processor when servicing accounts on behalf of another company.

Personal data is defined under the UK GDPR as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In essence, personal data is your personal information. Please see section 3 for the type of personal data that we collect. We collect and process personal data primarily to provide you with our products and services. Section 4 of this privacy notice tells you what you can expect us to do with your personal data when you use one of our services. The Website(s) noted are not intended for children and we do not knowingly collect data relating to children.

When we collect your personal data, we will let you know if any of it is optional. If it is, we will explain why it would be useful to us, and you can decide whether it is something you are happy for us to have.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

• Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
• Contact Data includes address, previous addresses, email address, telephone numbers
• Financial Data includes bank account details, salary details, assets, liabilities, details of other debts that you hold, details on any dependants, income and expenditure, details from Credit reference Agencies, payment card details and any other relevant information about your finances.
• Account Information includes details about accounts held by you with our client, including balances, account numbers, payments to and from you, details of any arrears, details of arrears charges and associated costs.
• Online Information – Includes IP address (your computer’s internet address) if you use our websites.
• Profile Data includes your username and password, payments made by you, your financial situation, marketing preferences, communication preferences, feedback and survey responses, certain publicly available data such as details of property that you own and details of business interests.
• Usage Data includes information about how you use our website, payment line and services.
• Voice Recordings - Our calls are recorded for training and monitoring purposes and may be shared with our regulators, professional advisors, clients, and other companies within the Group. The call recordings will be retained in accordance with our Data Retention Policy.
• Special Categories of Personal Data (Sensitive Personal Data) - We do not generally collect special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership. However, we may on occasion collect information about your health, which may affect your ability to manage your finances or communicate with us. We will not hold this information without your express permission.
• Aggregated Data - We also collect, use, and share data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to communicate with you.
• To perform our contractual obligations with other Group companies.
• Where we need to understand your personal circumstances and assess your income and expenditure in relation to payment proposals.
• We may use your Identity, Contact, Financial, Technical, Usage and Profile Data to form a view on what we consider to be an affordable repayment plan for you.
• Where we need to instruct third parties to act on our behalf, which may be outside of our Group of companies.
• To report to our external advisors and investors.
• Where we need to consider relevant circumstances when making decisions about the progression of cases.
• Where we need to enquire about your Identity and Contact Data from online tracing tools.
• Where we need to comply with a legal or regulatory requirements and obligations.
• To deal with queries and complaints.
• Verifying your identity, preventing fraud and financial crime.
• Identifying vulnerable customers to help determine whether we need to take further steps to ensure these customers are not disadvantaged in any way.
• Assessing, developing, and managing our services, systems, business, and brand
  Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

• Your Lender / Our Clients - Initially we are provided with your personal data by the lender which originally provided you with your loan. We become a Data Controller or Data Processor (see Section 1) of your personal data when they assign (sell) or place the debt to us.
• Directly from you - You may give us your personal information by completing a call back form via our website(s) or by corresponding with us by post, phone, email or otherwise.
• County Court – we may collect information as part of the County Court Claim / enforcement process.
• Automated technologies or interactions. As you interact with our website(s), we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other Website(s) employing our cookies.
• Payment Services providers – we may obtain Contact, Financial and Transaction Data from providers of technical, payment services.
• Credit Reference agencies – we may obtain Identity, Contact and Financial Data.
• Publicly available sources – we may obtain Identity and Contact Data from sources such as the Electoral Register.
• Tracing companies - Where we need to collect personal data by law, or as part of the collections process or as part of the County Court Claim/ enforcement process and you fail to provide that data when requested, or we have been provided with out-of-date personal data by the original lender, we may have to obtain this personal data via online tracing tools and/or third-party tracing agents.
• CIFAS, a fraud prevention agency or similar fraud prevention agencies.
• The Insolvency Service or insolvency practitioners.
• Debt Management Companies.

As you would expect, our employees will access your personal information for the purposes mentioned above. For example, our staff need access to your information to support you when you get in contact with us.

We will also share your personal information with the following categories of third parties. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

• Companies within the Group that may act as joint data controllers or data processors.
• Service providers - including I.T. providers, SMS messaging services, call recording services and system administration services, survey
• Professional advisers - including lawyers, bankers, debt recovery agents, bailiffs, auditors, and insurers who provide consultancy, banking, legal, debt recovery services, tracing agents, repossession agents, insurance, and accounting services.
• Legal & Regulatory bodies including HM Revenue & Customs, regulators, HM Courts & Tribunals Service, and other authorities.
• Mediators
• Court Advocates
• Process Servers
• Third parties, including Debt Management Companies who you may authorise to deal with matters on your behalf.
• Customer satisfaction survey administrators.

Investors

In the event ACI was to merge or sell any part of its business or assets, it may be necessary to pass your personal information to the prospective buyer/party.

Credit Reference Agencies (“CRA’s)

This section explains how we work with credit reference agencies and explains what we do and why we do it. We will share your personal information with CRAs, and they will provide us with information about you. The data we exchange can include:

• Name, address, and date of birth
• Details of any other credit you may have, including shared credit
• Financial situation and history
• Fraud prevention information
• Public information, from sources such as the Electoral Register and Companies House.

We will use this data to:

• Assess whether you can afford to make repayments
• Make sure what you have told us is true and correct
• Help detect and prevent financial crime
• Manage your account with us
• Trace and recover debts

We will go on sharing your personal information with CRAs for as long as you have an account with us. This will also include details of funds going into the account, and the account balance. We will also include details of your repayments and whether you repay in full and on time. We will also tell the CRAs when you settle your accounts with us. The CRAs may give this information to other organisations that want to check your credit status.

The credit reference agencies have their own privacy policies which set out how they process and look after your data. Please see below the links to the privacy notice for each of the three main Credit Reference Agencies:

https://www.equifax.co.uk/crain
https://www.transunion.co.uk/crain
https://www.experian.co.uk/crain/

Data Protection legislation sets outs specific grounds under which your personal data may be lawfully processed. The legal grounds for the processing of personal data by us will depend on the purpose for which the processing is being carried out. We will only use your personal data when one of these grounds has been satisfied. Below you can see how we use your personal data and the legal grounds for processing this:

Necessary for legitimate interests

We also use your personal data when we have a “legitimate interest”, and that interest is not outweighed by your privacy rights. Each activity is assessed, and your rights and freedoms are considered to ensure that we are not being intrusive or doing anything beyond your reasonable expectation. We will assess the information we need, so we only use the minimum.

If you want further information about processing under legitimate interests, you can contact us using the details below. You also have the right to object to any processing done under legitimate interests. We will re-assess the balance between our interests and yours, considering your circumstances. If we have a compelling reason, we may continue to use your personal data.

We use legitimate interests for the following:

We may use third parties located outside the European Economic Area (EEA) to provide contact centre or back office support services. If we do, your personal data may be processed in countries outside the EEA. However, your data will always be stored in the UK and access to, and the use of your data will be restricted and controlled at all times.

These services will be carried out by experienced and reputable organisations on terms which safeguard the security of your information and comply with the European data protection requirements. Some countries have been assessed by the European Commission (EC) as being ‘adequate’, which means their legal system offers a level of protection for personal information which is equal to the EC’s protection. Where the country hasn’t been assessed as adequate, the method we have chosen to safeguard your information is ‘standard contractual clauses’ within the legal international data transfer agreement (IDTA) to safeguard the processing of your personal data.

The European Commission and the UK have recognised ‘standard contractual clauses’ as offering adequate safeguards to protect your rights and we’ll use these where required ensuring adequate protection for your information as prescribed by the GDPR.

We will complete a transfer risk assessment and use these recognised ‘standard contractual’ clauses if we conduct any activity that involves processing personal data outside the EEA.

We will always ensure your personal data is provided with adequate protection and all transfers of personal information outside the EEA are done lawfully and carefully.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

In the event of a potential data security breach, we will notify you and the Information Commissioner’s Office if we are legally required to do so, or there is a risk to your rights and freedoms because of the breach.

The Website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

We will keep your personal data for as long as it is considered necessary for the purpose for which it was collected, and to comply with our legal and regulatory requirements. This will involve retaining your personal data for a reasonable period after your relationship with us has ended.

In the absence of specific legal, regulatory, contractual requirements or technical reasons, your personal data is kept for 6 years after our relationship with you has ended.

In certain circumstances you can ask us to delete your data: see Right to Erasure below for further information.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Automated decisions are where a computer makes a decision about you without a person being involved.

Automated individual decision-making does not have to involve profiling, although it often will do.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate and / or predict certain personal aspects relating to a person; for example, your financial situation and / or financial behaviour and your likely future financial behaviours, such as your ability and propensity to repay.

We may make some solely automated decisions and profile your data; however, none that have a legal or similarly significant effect on you without human intervention.

We sometimes make automated strategy decisions and automate some processes based on pre-set system criteria or algorithms built by us, including artificial intelligence (AI) assisted decisions, that perform based on your profile.

Your rights are outlined below. The easiest way to exercise any of your rights would be to contact our Data Protection Officer at the contact details provided. We will provide a response within one month, if not sooner. There is normally no charge for exercising any of your rights. We may ask you for proof of identity when you request to exercise some of these rights to ensure we are dealing with the correct individual.

• Access to your personal data - You have the right to find out what personal data we hold about you, in many circumstances.
• Correcting or adding to your personal data - If any of your details are incorrect, inaccurate, or incomplete, you can ask us to correct them or to add information.

Withdrawing your consent - If you have provided consent for us to use your personal data, you have the right to withdraw it at any time. If you withdraw consent, then we are not allowed to use the personal data you previously provided consent for going forward. However, it would not invalidate processing that was carried out before you withdrew consent.

• Transferring your personal data to another organisation (Data portability) - In some circumstances, you can ask us to send an electronic copy of the personal data you have provided to us, either to you or to another organisation.
• Objecting to the use of your personal data for legitimate interests - You also have the right to object to any processing done under legitimate interests. We will re-assess the balance between our interests and yours, considering your circumstances. If we have a compelling reason, we may continue to use your personal data if that interest is not deemed to be outweighed by your privacy rights. However, we will inform you of that decision and reasoning for continuation of processing.
• Objecting to direct marketing - You have a specific right to object to our use of your personal data for direct marketing purposes.
• Objecting to automated decision making - You have a right to object if we have made an automated decision, including profiling, which has legal and significant effect against you. You may also have the right to challenge the decision and ask for a human review. These rights do not apply if we are authorised by the law to make such decisions and appropriate safeguards are in place to protect your rights.
• Restricting the use of your personal data - If you are uncertain about the accuracy or our use of your personal data, you can ask us to stop using your personal data until your query is resolved. We will let you know the outcome before we take any further action in relation to this personal data.
• Right to Erasure - You can ask us to delete your personal data in some circumstances. we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you when you make a request.

We use cookies in connection with the operation of our website. A cookie is a small file that is sent by a web server (where we host our website) to a web browser (from where you view our website), and which is then stored by the browser.

Usually, cookies do not hold any data by which you can be identified, although if we do hold personal data about you (for example, because you have an account with us or you have subscribed to a service that we offer) the cookie may be linked to that data.

In addition to cookies used by us, our service providers may also use cookies, and those cookies may also be stored in your browser when you visit our website.

Usually, you can prevent cookies from being downloaded to your browser and you may be able to delete those that have already been downloaded. How this is achieved varies between different browsers. Consult the website of your browser provider for more details.

The types of cookies that we use fall under the following categories:

• Strictly necessary (can't be switched off)

Data collected in this category is essential to provide our services to you. The data is necessary for the website to operate and to maintain your security and privacy while using the website. Data is not used for marketing purposes, or the purposes covered by the other three categories below.

These strictly necessary cookies are always on, as the services you've asked for can't be provided without this data.

• Performance

Data collected in this category is used to inform us how the website is used, improve how our website works, and help us identify issues you may have when using our services. This data is not used to target you with online advertising and is collected and reported anonymously. Currently ACI use Mouseflow and Google Analytics as a third party to supply this service.

• Targeting

Data collected in this category is used to help make our messages more relevant to you. The data is shared with other internal systems or third parties, such as advertisers and social media platforms we may use to deliver personalised advertisements and messages. If you don't wish to consent to this category, it's important to note that you may still receive generic advertising or service messages, but they will be less relevant to you.

• Functional & Profile

Data collected in this category enables the website to remember your choices. This means a more personalised experience for features of the website that can be customised. It may also be used to provide services you've asked for, such as watching a video or commenting on a blog.

You should be aware that if you block or delete cookies this may have a detrimental impact upon your ability to access our website or parts of our website, and the services that we provide.

For further information about the cookies, we use please contact our Data Protection Officer.

If you are unhappy with how we are using your personal data, you have the right to complain to the Information Commissioner’s Office. We would encourage you to contact us first to give us the opportunity to deal with your concerns in the first instance.

The Information Commissioner`s office can be contacted by

• Visiting their website www.ico.org.uk
• Phone on 0303 123 1113
• Write to Information Commissioner`s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Making sure that we keep you up to date with privacy information is a continuous responsibility and we keep this notice under review. We will update our notice as changes are required.

If we need to use your personal data for a new purpose which we have not previously told you about, we will contact you to explain the new use of your personal data. We will set out why we are using it and our legal reasons.

This privacy notice was last updated on the 25 July 2025.

We have appointed a Data Protection Officer (“DPO”) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details below:

Email: dpo@aciuk.co.uk

Post: Data Protection Officer, Unit 10, Whitehills Business Park, Whitehills Drive, Blackpool, Lancashire, FY4 5LW