Privacy notice
Date: 9/10/2025
1. Who we are
We are 91心頭 Ltd, formerly known as The Model T Finance Ltd. Our data protection registration is ZA503192, which is renewed annually. 91心頭 Ltd is the data controller and has overall responsibility for your personal data (collectively referred to as we, us or our in this Privacy Notice).
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions, including any requests to exercise your data protection rights, please contact our DPO using the details set out below.
Contact details
Postal address: Data Protection Officer, 91心頭, 73 Brook Street, Mayfair, London, W1K 4HX.
Email address: [email protected]
2. Purpose of this Privacy Notice
We respect individuals right to privacy and to the protection of their personal data. The purpose of this Privacy Notice is to explain how we collect and use personal data in connection with our business. Personal data means any information about a living individual who can be identified from that information, either directly or indirectly (e.g. when combined with other data).
This website is not intended for children as we will not be offering our services to anyone under 18 years of age.
3. What personal data we collect
We process your personal data to engage with you; the personal data processed will depend on the product you enquire about or apply for. We will also collect your name and contact information if you are acting on behalf of a customer. We also have a legal obligation to prevent fraud and money laundering. We may therefore collect, use, store and share the following personal data:
- Basic personal data: first name, last name, date of birth, passport (or other identification) information, financial information and employment information. This helps us verify your identity and meet our regulatory obligations. We may also request personal data for your next of kin (first name, surname and contact details). If you visit us in person, we will collect your image via our in-house CCTV.
- Special category data: information that may reveal your racial and ethnic origin and data relating to the alleged commission or conviction of a criminal offence. We will only collect this data when it is absolutely necessary.
- Contact information: residential or business address, email address and telephone numbers.
- Tax information: to help us comply with obligations under FATCA and the Common Reporting Standards.
- Technical information: IP address, login data, browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile data: your username and password.
- Usage data: information about how you use our website.
- Telephone recordings: if you contact us by telephone, we may record your call with one of our representatives for training purposes and to ensure we are meeting our regulatory obligations.
- Chatbot interactions: Our website includes an AI-powered chatbot to help answer general questions about our products and services. The chatbot does not collect or store any personal data. Please do not include personal or financial information in your messages. If personal data is submitted by mistake, it will be deleted promptly and not used for any purpose.
We also collect, use and share aggregated data (statistical or demographic) for any purpose; this is not considered personal data in law as it does not directly or indirectly reveal your identity.
4. How we collect personal data
Direct interactions. You may give us your identity and contact details by filling in forms or by corresponding with us by post, phone, email or otherwise (e.g. creating an account on our website; requesting marketing; giving feedback).
Automated technologies or interactions. As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns via cookies and similar technologies (see our Cookie Notice).
Chatbot use: When you use our websites chatbot, your messages are processed in real time to generate responses. The chatbot does not create or retain transcripts linked to you, and it is not used to collect, profile or store personal data. Any messages that contain personal or financial information are deleted.
Third parties or publicly available sources. We may receive personal data about you from credit reference agencies, analytics providers (such as Google), publicly available sources (Companies House, Electoral Register) and the Insolvency Register. We will not commence gathering such data before you have had the opportunity to read this Privacy Notice.
5. How we use your personal data (lawful bases)
We will only use your personal data when the law allows us to, including: performance of a contract with you; where necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and to comply with a legal or regulatory obligation.
- Legitimate interests: means we use personal data where it is necessary for legitimate business reasons, provided our commercial interests are not outweighed by your rights and freedoms.
- Performance of a contract: where processing is necessary for a contract with you or to take steps at your request before entering a contract.
- Legal or regulatory obligation: where processing is necessary to comply with a legal or regulatory obligation.
6. Purposes for which we use your personal data
We use your data for the purposes set out below, together with the relevant data types and lawful bases.
| Purpose / Activity | Type of Data | Lawful Basis for Processing Your Data |
| To register you as a customer of our services (including contacts acting on a customers behalf). | Identity (which may include special category data) Contact | Performance of a contract with youNecessary to comply with a legal obligation |
| Processing (including sharing) to identify and prevent criminal activity (e.g. money laundering, fraud, terrorist financing). | Identity (which may include special category data) Contact Transactional | Necessary to comply with a legal obligation Necessary for our and the wider publics legitimate interests |
| To manage our relationship with you (e.g. notifying you about changes to our terms or Privacy Notice). | Identity Contact Profile Marketing and Communications | Performance of a contract with you Necessary to comply with a legal obligation Necessary for our legitimate interests (to keep our records updated and to study how customers use our services) |
| For assessment and testing of our systems to maintain high service standards. | Identity Contact | Necessary for our legitimate interests (to develop and improve our systems, products and services) |
| To enable you to complete a survey. | Identity Contact Profile Usage Marketing and Communications | Performance of a contract with you Necessary for our legitimate interests (to study how customers use our services, to develop them and grow our business) |
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting). | Identity Contact Technical | Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or restructuring exercise) Necessary to comply with a legal obligation |
| To deliver relevant website content to you. | Identity Contact Profile Usage Marketing and Communications Technical | Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy) |
| To use data analytics to improve our website, services, marketing, investor relationships and experiences. | Technical Usage | Necessary for our legitimate interests (to define types of customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
| To make suggestions and recommendations about services that may be of interest to you. | Identity Contact Technical Usage Profile | Necessary for our legitimate interests (to develop our services and grow our business) |
| If you visit our office in person. | Your image via CCTV | Necessary for our legitimate interests (for safeguarding and detection of crime) |
7. Change in purpose
We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another compatible reason. If we need to use your personal data for an unrelated purpose, and where permitted by law, we will notify you and explain the legal basis.
8. Sharing your personal data
We may need to share your data with trusted third parties where this is lawful and necessary, including:
- law enforcement or regulatory authorities;
- credit reference agencies;
- fraud prevention services; and
- third parties working on our behalf (such as processors, subcontractors and professional advisers).
When we share your personal data with credit reference agencies (CRAs), they use it to confirm your identity and credit history so we can make responsible lending and account-management decisions. CRAs will also share information with us about your financial status, which helps us prevent fraud and money laundering. You can find more information about how CRAs use and share personal data in the Credit Reference Agency Information Notice (CRAIN) at .
We also share information with fraud-prevention services, such as Cifas, to protect both you and 91心頭 from financial crime. Further details of how your data is used by fraud-prevention agencies are available at www.cifas.org.uk/fpn.
All organisations that process personal data on our behalf are required to do so securely and only under our written instructions.
9. How we store and transfer your personal data
We process and store your personal data on servers managed by our hosting providers (data processors). Some hosting is outside the UK but within the EEA. When data is transferred to the EEA or other countries with UK adequacy decisions, it will continue to be protected to UK standards.
Note: fraud prevention agencies may transfer data outside the UK subject to appropriate safeguards.
10. Automated decision-making
Automated decision-making is making a decision solely by automated means (i.e. without human involvement). We may use automated checks when you request to open a savings account (e.g. identity verification and anti-fraud checks). If these checks might lead to a refusal, a member of staff will review the information and make the decision. 91心頭 does not complete automated decision-making on applications for our lending products.
11. Consequences of processing
Where we need to collect personal data by law, or under a contract with you, and you fail to provide that data when requested, we may not be able to perform the contract and may have to cancel the product or service you have with us. We will notify you if this is the case.
If background checks indicate fraud or an unacceptable level of fraud or money-laundering risk, you may be refused our services and other organisations may also refuse services. Fraud prevention agencies may retain relevant records for up to six years.
12. Marketing
We may use identity, contact, technical, usage and profile data to determine which products and services may be relevant to you. You will receive marketing communications if you have requested information from us previously or invested with us. You can opt out at any time using the contact details above and via the unsubscribe information included in each communication. We do not participate in third-party marketing and will not share your personal data outside 91心頭 for this purpose without your consent.
13. How long we keep your information
We retain personal data only as long as necessary for the purposes described in this notice. Regulatory requirements currently require us to keep personal data for seven years following account closure (or longer in certain circumstances). We may anonymise data for research or statistical purposes and use it indefinitely without further notice.
14. Data security
We have appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Access is limited to those with a business need to know and who are subject to confidentiality. We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator where legally required.
15. Your rights
Your rights under the Data Protection Act 2018 and UK GDPR include:
- Right to be informed – to know how and why we collect, use and share your personal data.
- Right of access – to ask for a copy of the personal data we hold about you and understand how it is used.
- Right to rectification – to have inaccurate or incomplete personal data corrected.
- Right to erasure – to ask us to delete your personal data where there is no lawful reason for us to keep it.
- Right to restrict processing – to ask us to limit how we use your personal data in certain circumstances.
- Right to data portability – to receive your personal data in a structured, commonly used format and transfer it to another organisation.
- Right to object – to object to the processing of your personal data, including for direct marketing.
- Rights related to fully automated decision-making (including profiling) not to be subject to decisions made solely by automated means that have a legal or significant effect on you, and to request a human review of such decisions.
16. Making a request
To exercise your rights, contact us using the details above. We may need to verify your identity and may request further information. We will respond within one calendar month (extendable by two months for complex or multiple requests). We do not normally charge a fee unless a request is manifestly unfounded, repetitive or excessive.
17. Changes to this notice and your duty to inform us of changes
We may update this Privacy Notice from time to time; the updated version will be published on our website. Please visit regularly to stay informed. Please also keep us informed if your personal data changes during your relationship with us.
18. Making a complaint
If you have any concerns about how we handle your personal data, please contact us in the first instance so we can try to resolve the matter quickly and fairly. You can contact our Data Protection Officer (DPO) by email to: [email protected].
19. Information Commissioner
If you are not satisfied with our response or believe that we are not processing your personal data in accordance with the law, you have the right to make a complaint to the Information Commissioners Office (ICO).
Website
Telephone: 0303 123 1113
This Privacy Notice was last updated October 2025.