MortgageBrokerHub

Privacy Policy

How Mortgage Broker Hub handles, processes, and protects your data.

Mortgage Broker Hub

Last updated: 8th January 2026

This Privacy Policy explains how Mortgage Broker Hub ("Mortgage Broker Hub", "we", "us", "our") collects, uses and protects personal data when you use our website and services.

We are committed to protecting your privacy and handling your information in a way that is fair, transparent and compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are and how to contact us

Controller:

Mortgage Broker Hub is the data controller of personal data processed in connection with this website and service (except where we act as a processor on your instructions – see Section 3).

Legal entity details:

  • Legal name: Mortgage Broker Hub
  • Email: team@mortgagebrokerhub.co.uk

If you have any questions about this Privacy Policy or our data practices, please contact us using the details above.

2. Who this policy applies to

This Privacy Policy applies to:

  • Mortgage advisers / firms / professional users who register for and use our Service;
  • End clients of those advisers whose payslips and related information are uploaded to our Service (we call them "Clients" in this Policy);
  • Visitors to our website at https://www.mortgagebrokerhub.co.uk/.

Our Service is intended for business / professional use only, not for consumers acting in a personal capacity.

The Service is not intended for use by or in relation to individuals under the age of 18. The Service must not be used to process data relating to individuals under 18 years of age. If you become aware that Client Data relates to a minor, you must immediately notify us at team@mortgagebrokerhub.co.uk and remove such data from the Service.

3. Roles: controller vs processor

We act in different roles depending on the context:

As a controller – We are the data controller in relation to:

  • Your account information (as an adviser / firm);
  • Our own business records (billing, communications, logs etc.); and
  • Website usage and contact details.

As a processor – When you (as a mortgage adviser or firm) upload Client Data (e.g. payslips and related information) into the Service for your own clients, we generally act as a data processor on your behalf. You are the data controller for that Client Data. We process it only:

  • On your instructions;
  • For the purpose of providing the Service; and
  • In accordance with our Terms of Service and this Privacy Policy.

If required, we can also enter into a separate Data Processing Agreement (DPA) with you.

4. The data we collect

Data minimization

We collect and process only the personal data necessary to provide the Service. We encourage users to upload only the documents and data required for their specific use case and to avoid uploading irrelevant or excessive personal information.

4.1 Data you provide directly

For adviser / firm users:

  • Name and contact details (e.g. name, email, phone number);
  • Login credentials (e.g. email and password – we store only hashed passwords);
  • Billing details (e.g. name, address, partial payment information – Stripe handles card details);
  • Communications you send us (support requests, feedback, etc.).

For Clients (via you):

When you upload payslips and related financial documents for your Clients, these may contain:

  • Name and address;
  • Employer details;
  • Salary and income information;
  • National Insurance number or other identifiers (depending on the document);
  • Pay history (e.g. last 3 months' payslips);
  • Other information appearing on the payslips or related documents that you upload.

You must ensure you have a lawful basis and appropriate consent/notices in place with your Clients before uploading their data to the Service.

4.2 Data we collect automatically

When you use our website or Service, we may collect limited technical and usage information such as:

  • IP address;
  • Browser type and version;
  • Device type and operating system;
  • Dates and times of access;
  • Log data about actions taken in the Service (e.g. uploads, deletions, report generation).

We use this for security, troubleshooting, audit trails and to improve the Service.

4.3 Payment information

We use Stripe to handle payments. Stripe is a separate data controller for card details and payment instruments.

We receive limited information from Stripe, such as:

  • Confirmation of payments;
  • Last 4 digits of card, card type and expiry (where applicable);
  • Billing contact details.

We do not store or have direct access to your full card number or CVV.

5. How we use personal data

We use personal data for the following purposes:

To provide and operate the Service

  • Creating and managing user accounts;
  • Processing uploaded documents and extracting data using AI tools;
  • Generating reports and outputs (PDFs, spreadsheets);
  • Storing and deleting cases in line with our retention practices.

To perform our contract with you

  • Charging and collecting subscription fees;
  • Providing customer support and technical assistance;
  • Sending important service communications (e.g. outages, changes, updates).

For our legitimate interests, including:

  • Monitoring and improving the Service;
  • Security, fraud prevention, and misuse detection;
  • Keeping appropriate business records, audit logs and backups;
  • Enforcing our Terms of Service.

To comply with legal obligations

  • Accounting, tax and record-keeping;
  • Responding to lawful requests from authorities;
  • Complying with applicable laws and regulations.

We do not use Client Data for marketing or profiling unrelated to the Service.

5.1 Automated processing and AI

We use AI technology (Google's Gemini Pro 2.5 via Vertex AI) to automatically extract and process information from uploaded payslips and documents. This processing:

  • Is used solely to extract structured data for your use;
  • Does not involve automated decision-making that produces legal or similarly significant effects;
  • Always allows for human review and correction of extracted data;
  • Is performed as part of providing the Service under our contract with you.

6. Legal bases for processing

We typically rely on the following legal bases under UK data protection law:

  • Contract – where processing is necessary to deliver the Service under our Terms of Service (e.g. managing accounts, processing uploads, issuing invoices).
  • Legitimate interests – for activities such as security, service improvement, business records and preventing misuse, where our interests are not overridden by your rights.
  • Legal obligation – where we must process or retain data to comply with applicable law (e.g. tax, accounting, regulatory requirements).
  • Consent – in limited cases, for example if you expressly opt-in to particular communications or optional features. You may withdraw consent at any time.

Where we act as a processor for Client Data, you (the adviser / firm) are responsible for ensuring a lawful basis to process the Client's personal data.

7. Cookies and similar technologies

We currently do not use cookies or similar tracking technologies for analytics or advertising on our website or within the Service.

  • We do not set marketing cookies.
  • We do not use third-party advertising networks or invasive tracking.

If this changes in the future, we will update this Privacy Policy and, where required, seek your consent before setting any non-essential cookies.

Please note that our third-party providers (e.g. Stripe, some embedded payment or support tools) may use their own cookies or similar technologies in accordance with their own privacy and cookie policies.

8. Data retention

8.1 Client case data (payslips and extracted data)

  • We delete each case (including uploaded payslips and extracted data) from the live application environment 1hr after the case has been completed or closed, any other created case but not completed is deleted within 24hrs.
  • You are responsible for downloading and securely storing any outputs (e.g. PDF or Excel reports) that you need for your records, compliance or audit purposes.

8.2 Backups and logs

  • Backups of our systems and log files may contain personal data, including elements of Client Data.
  • These are retained for limited periods for security, disaster recovery and audit purposes and are then deleted or anonymised in line with our internal retention schedules.
  • Access to backups and logs is strictly limited.

8.3 Account, billing and communication data

We retain adviser / firm account data, billing records and key communications for as long as reasonably necessary:

  • To provide the Service;
  • To comply with legal and regulatory obligations (e.g. tax, accounting); and
  • To resolve disputes or enforce our agreements.

Where personal data is no longer needed, we will delete it or anonymise it.

9. How we share personal data

We may share personal data with:

Service providers / processors

We use carefully selected third-party service providers to help us deliver, secure and support the Service. These include:

  • Cloud hosting providers, such as Google Cloud Platform (GCP), to host the Service and store data securely;
  • AI infrastructure and model providers, including Google's Gemini Pro 2.5 accessed via Vertex AI, to process and extract data from uploaded payslips and related documents;
  • Payment processors, such as Stripe, to process subscription payments;
  • Other IT, security, support and communication providers helping us operate and support the Service.

These providers act as our processors or sub-processors and are bound by contracts requiring them to:

  • Use personal data only on our documented instructions and for the purposes of providing their services to us;
  • Implement appropriate security measures; and
  • Maintain confidentiality.

AI and cloud sub-processors (including Google Cloud Platform, Vertex AI and Google's AI models) may handle data in line with their own security, privacy and retention practices, which they document separately and may update from time to time. We do not permit these providers to use Client Data for their own independent marketing purposes.

A current list of our main sub-processors is available at: https://www.mortgagebrokerhub.co.uk/sub-processors

Professional advisers

Lawyers, accountants, auditors and insurers, where necessary for advice, auditing, risk management or insurance.

Authorities and regulators

  • Where required by law, regulation or court/authority order; or
  • Where necessary to protect our rights, property or safety, or those of our users or others.

Business transfers

If we undergo a merger, acquisition, reorganisation, sale of assets or similar transaction, personal data may be transferred to the relevant third party (and their advisers) as part of the process, subject to appropriate safeguards.

We do not sell personal data.

10. International transfers

Our main infrastructure is hosted with Google Cloud Platform in the European Union. All personal data, including Client Data, is processed and stored within EU data centres and is not transferred outside the EU.

As the European Union has been granted an adequacy decision by the UK government under the UK GDPR, transfers of personal data from the UK to our EU-based infrastructure benefit from this adequacy recognition and do not require additional safeguards.

We have implemented technical and organisational measures to ensure data remains within the EU region, including configuring our Google Cloud Platform services to use EU-only data centres and processing locations.

If our data location practices change in the future, we will update this Privacy Policy and notify you in accordance with Section 17.

11. Security

We take security seriously and implement appropriate technical and organisational measures to protect personal data, including:

  • Use of reputable cloud providers and secure data centres within the EU;
  • Encryption in transit using HTTPS/TLS for all data transmission;
  • Encryption at rest using AES-256 encryption for stored data;
  • Access controls and authentication mechanisms to restrict access to authorised personnel only;
  • Logging and monitoring of system access and actions to detect and respond to security incidents;
  • Regular reviews of security practices and updates to address emerging threats;
  • Secure deletion processes to ensure data is irretrievably removed when no longer needed.

However, no system is completely secure. You are also responsible for:

  • Keeping your login details confidential;
  • Ensuring only authorised staff access your account;
  • Using strong, unique passwords and enabling any additional security features we offer;
  • Securely storing any downloaded reports or outputs containing Client Data.

12. Your rights (individuals in the UK)

If you are an individual in the UK, you have certain rights under data protection law, including the right to:

  • Access your personal data and obtain a copy;
  • Rectify inaccurate or incomplete data;
  • Erase personal data in certain circumstances ("right to be forgotten");
  • Restrict processing in certain circumstances;
  • Object to certain types of processing (especially where based on legitimate interests);
  • Data portability – to receive certain data in a structured, commonly used format and transmit it to another controller;
  • Withdraw consent where processing is based on your consent (this does not affect prior processing).

When we act as a processor on behalf of an adviser/firm (for Client Data), the adviser/firm is the controller. We will assist them in responding to rights requests, but you should contact them directly in the first instance.

To exercise your rights, please contact us using the details in Section 1. We may need to verify your identity before responding.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): https://www.ico.org.uk/

13. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach;
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
  • Document all data breaches and our response, regardless of whether notification is required.

If you are an adviser/firm and we experience a breach involving Client Data for which you are the controller, we will notify you promptly so you can fulfil your own notification obligations.

14. Marketing communications

We do not currently engage in heavy marketing. If we send you any optional marketing emails:

  • We will do so in line with applicable marketing and e-privacy laws;
  • You will always have the option to unsubscribe using the link in the email or by contacting us.

Essential service or account communications (e.g. billing notices, security alerts, changes to terms) are not considered marketing and you may not be able to opt out of receiving those while using the Service.

15. Your regulatory responsibilities

Nothing in this Privacy Policy or in our Service:

  • Provides compliance, legal or regulatory advice; or
  • Transfers responsibility for your own regulatory obligations (including those under FCA rules or those imposed by networks or principal firms).

You remain solely responsible for:

  • Ensuring you have a lawful basis and appropriate notices/consents for processing Client Data using our Service;
  • Your own record-keeping, retention, disclosure and reporting obligations;
  • Any regulatory filings, permissions or standards that apply to you.

16. Third-party websites

Our website and Service may contain links to third-party websites, services or tools (including Stripe and others). These are not controlled by us.

This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We recommend you review their privacy policies before providing any information.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect:

  • Changes in our Service;
  • Changes in law or guidance; or
  • Feedback from users and regulators.

We will post the updated version on our website and may notify you by email or via the Service where changes are material.

Your continued use of the Service after the updated Privacy Policy takes effect will constitute your acknowledgment of the changes.

18. Contact and complaints

If you have any questions, concerns or requests about this Privacy Policy or how we handle personal data, please contact us at:

Email: team@mortgagebrokerhub.co.uk

You also have the right to raise a concern with the Information Commissioner's Office (ICO) at any time, but we would encourage you to contact us first so we can try to resolve any issues.