This website uses 'Strictly Necessary Session Cookies' to enable the website to function. These will be deleted automatically when you close your browser.
We also like to set 'Optional Website Analytics (tracking) Cookies' to help us improve our websites.
If you click 'Accept', we’ll accept this as your consent and that you are happy to receive tracking cookies. If you do not wish this browser session to be tracked via cookies please ensure you click the 'Deny' button below, You can reset this at any point by clicking the "Reset non-essesntial cookies" option. You can change these preferences at any time by visiting our Cookie policy.
More information about the types of cookies we use on this website and our Cookie policy. View our Privacy policy for more information about how we store and process your personal data.
This Privacy Notice explains how we collect, store, use and protect personal data about you when you access https://www.rooftopmortgages.com/ as well as in our day to day business.
Rooftop Mortgages ("Rooftop") is a loan and asset management services provider. BCMGlobal Mortgage Services ("BCMGlobal") provides mortgage administration services to Rooftop and its customers.
Rooftop acts as Data Processor when it provides loan administration services on behalf of its clients. Rooftop acts as Data Controller when it provides services to process internal data (e.g. relating to staff). For more details please see section 11.
We collect personal information about you and are committed to protecting this information and your privacy. Set out below is an explanation of how we use, collect and safeguard your personal information through our website or in our day-to-day business.
According to the principles of data protection, we only collect and process personal data that we need for our specified purposes. BCMGlobal will collect and use only as much personal data from you as is necessary to be able to provide you with the services you have requested from us.
We collect basic information (name, contact details, etc.) when you contact us directly, for example within this site to submit personal information to us by email or online enquiry. We will record what you say to us by email or phone, as sometimes it is legally required to do so. However, when we record a call, we will inform you at the beginning of the telephone conversation. Call recordings are kept for seven years.
We also collect personal information directly from you:
| What we do | What information we collect | Why we can do it (legally) |
| Respond to queries and complaints |
Name, contact details and other information about the services we provide you as part of our contract
|
Legitimate interest, it is important to us as a business We are legally required to do so |
| Receive accident and incident reports | Name and contact details | Legitimate interest, it is important to us as a business |
| Respond to Data Subject Rights Requests |
Name, contact details and other information about the services we provide you Information for other individuals included in our products (ex. beneficiaries) |
We have a legal obligation to do this |
| Record calls between Rooftop staff and yourself | Name, contact details and other personal information that you might choose to disclose such as health data | Because we are legally required to do so |
| What we do | What information we collect | Why we can do it (legally) |
| Review your application for the service you are interested in to ensure we can perform the contract (including tax domicile status) |
Your name, contact details, date of birth, NI number, address for tax purposes Similar information for other Individuals included in the product you are hiring, such as beneficiaries |
Because we are legally required to do so To provide you with our services based on our contract |
| Administer, provide and service the product you are hiring with us |
Your name, contact details, date of birth, personal tax number, address for tax purposes Similar information for other individuals included in the product you are hiring, such as beneficiaries Product performance information Your bank account details Special category of data such as health information if you previously disclosed it to us |
To provide you with our services based on our contract Because we are legally required to do so Consent, in the case of special category of data if you are able to consent freely |
| Regularly communicate with you |
Your name, contact details and any information relevant to the service we provide you Similar information for other individuals included in the contract as part of the service we provide, such as beneficiaries Product performance information Health information if you request communications in Braille or other easier to read formats |
To provide you with our services based on our contract Because we are legally required to do so Consent, in the case of special category of data if you are able to consent freely |
| Prevent financial crime such as money laundering, sanction breaches, tax evasion and fraud |
Your name, contact details, date of birth, personal tax number, address for tax purposes Similar information for other individuals included in the contract as part of the service we provide, such as beneficiaries Your bank account details |
To provide you with our services based on our contract Because we are legally required to do so Substantial Public interest (prevent financial crime), in regard to any information on criminal convictions |
| To keep our own internal and external management information, maintaining accounting records, analysis of financial results, internal audit requirements or receiving professional advice, as required |
Your name, contact details, date of birth, NI number, address for tax purposes Similar information for other individuals included in the contract as part of the service we provide, such as beneficiaries Product performance information |
Our legitimate interest, to keep appropriate records to monitor performance and evaluate business performance Because we are legally required to do so |
| To improve our products and services and for analytical purposes |
Your name, contact details, date of birth, NI number, address for tax purposes Similar information for other individuals included in the contract as part of the service we provide, such as beneficiaries Product performance information |
Legitimate interest, to improve our services |
Certain communications we send you, such as your annual statements, are important in order for you to understand your policy. We must send these to you to meet a legal obligation or regulatory requirement. You cannot opt out of these communications.
You are in control of how we use your information for marketing, and we will only contact you if we administer your mortgage or you have previously expressed an interest in attending one of our events. In these circumstances, we may share information within Rooftop to inform you of other similar products and services that may be of interest to you, unless you tell us that you do not wish to receive this information.
If you wish to unsubscribe from any emails sent by us, you may do so at any time by following the unsubscribe instructions that appear in the email. Otherwise, you can contact us using the details set out in this Privacy Notice to update your contact preferences. In such circumstances, we will continue to send you service related (non-marketing) communications where necessary.
| What we do | What information we collect | Why we can do it (legally) |
| Consider you for an employment opportunity and to communicate with you, as needed | Collect name, address, email, telephone number, CV, salary expectations and legal residency status | Consent and to be able to take pre-contractual steps |
| Confirm your employment with us | Collect Date of birth, referee details (if any), bank account details or other payment or financial information, details related to background screening (if applicable) | Consent and to be able to carry out with the employment contract |
| Manage and progress the recruitment process | Collect public information in Linkedin and other available public sources | Legitimate interests |
When Rooftop collects data for recruiting purposes, the Data Controller is BCMGlobal Mortgage Services Limited. For more information you can access the Group Recruitment Privacy Notice here.
We will only disclose your personal information in accordance with applicable laws and regulations applicable to the countries in which our businesses operate. We will disclose your information to the following third parties:
The list of possible disclosures is not intended to be exhaustive and there may be other legitimate purposes for holding, disclosing or otherwise processing your personal information. Where the law so requires, you will be notified of any additional purposes and where required your consent will be sought.
We operate in the UK. The sharing of personal information with third parties set out above may involve the transfer of data to jurisdictions outside of the European Economic Area (EEA).
Transfers to BCMGlobal Mortgage Services are be covered by a legal agreement which contractually obliges each member to ensure that your Personal Data receives an adequate and consistent level of protection.
We store the information you provide about yourself in a secure database and take appropriate security measures to protect such information from unauthorised access.
We take protection of your personal information and our system security very seriously. Any personal information which is collected, recorded or used in any way will have appropriate safeguards applied in line with our data protection obligations.
We implement internal and external audits and regular, independent assurance exercises across our business to ascertain the effectiveness of our security control environment and our security strategy.
Your information is protected by controls designed to minimise loss or damage through accident, negligence or deliberate actions. Our employees also protect your personal and confidential information whenever they are processing it and must undertake annual training on this.
Our security controls are aligned to industry standards and good practice; providing a controlled environment that effectively manages risks to the confidentiality, integrity and availability of your information.
All exchanges of information between you and our website go through encrypted channels in order to prevent interception of your information. Public access to your information via our website / the portal / any web-hosted platform is protected by a login using your user ID and password. You should ensure that these are kept secret and not divulged to other people. You recognise that your use of our website is entirely at your own risk. The Rooftop website operates on the internet, which is inherently insecure. Rooftop cannot guarantee the information you supply will not be intercepted while being transmitted over the internet. Accordingly, Rooftop has no responsibility or liability for the security of personal information transmitted by you via our website.
To take full advantage of all security features you should use an up-to-date browser. To further ensure your personal information is safe, please note, we will never ask a customer to confirm any debit or credit card details via email.
We keep personal data for a variety of purposes and for a variety of time periods. The general guidelines for how long we keep personal data are based on what is necessary and proportionate in our business, taking into consideration how and why we collected it and with specific reference to legal obligations that apply to our business.
Where there is no legally defined period for keeping data, we will keep your information for a time period based on relevant industry standards. Where there are no relevant industry standards, we will use a time limit that allows us to serve you and to comply with our contract commitments but also, we will ensure we do not keep the information for longer than needed. We typically keep personal data used to provide you with our products/services for 7 years from the end of our relationship with you. In some cases where there may be a dispute or a legal action, we may be required to keep personal information for longer.
If we anonymise your personal information so that it can no longer be associated with you, it will no longer be considered personal information, and we can use it without further notice to you.
You have the following rights in relation to how we use your information. To know how you can exercise these rights refer to section 12 “Where you want to submit a Data Subject Request”. You can contact us at ComplianceTeam-Ipswich@bcmglobal.com.
You have a right to complain to the ICO, more information can be found on the Information Commissioner’s Office website: https://ico.org.uk/ if you are in the UK.
You have the right to know if we are using your information and, if so, the right to access it and information about how we are using it. There will not usually be a charge for dealing with these requests. Your personal information will usually be provided to you in writing, unless otherwise requested. Where you have made the request by electronic means the information will be provided to you by electronic means where possible.
We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, you have the right to require us to rectify any errors in the information we hold about you.
You have the right to require us to delete your information if our continued use is not justified. However, this will need to be balanced against other factors, depending upon the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request.
In some circumstances, you may not be entitled to require us to erase your information, but may be entitled to limit the purposes for which we can use it.
You have the right to require us to provide you with a copy of the personal information that you have supplied to us in a commonly used machine-readable format or to transfer your information directly to another controller (e.g. a third party offering services competing with ours). Once transferred, the other party will be responsible for looking after your personal information.
You can ask us to stop sending you marketing messages at any time.
Rooftop does not make decisions about you using automated decision making or profiling of your personal data.
For certain limited uses of your personal information, we may ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. If you withdraw your consent, we may not be able to provide certain products and services to you. If this is the case, we’ll tell you at the time you ask to withdraw your consent.
In some circumstances exercising some of these rights will mean we are unable to continue providing you with your mortgage or maintaining a business relationship with you.
You can make any of the requests set out above using the contact details in this Privacy Notice. Please note that in some cases we may not be able to comply with your request for reasons such as our own obligations to comply with other legal or regulatory requirements. We will always respond to any request you make. We may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances, but we will tell you why.
Each time you use our websites, we will automatically collect certain technical information, including the type of browser you use, the Internet Protocol (IP) address used to connect your computer to the internet, and information about your visit, including the full Uniform Resource Locations (URL), clickstream to, through and from our sites, traffic data and other communication data, the resources that you access, and the information derived from the cookies we place on your mobile device and/or computer.
In order to improve the quality of our website and services, we may from time to time send your computer a "cookie". Cookies are text files that identify your computer to our server and are stored on your device. Cookies in themselves do not identify the individual user, just the computer used. When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the website work as you expect it to. Cookies enable us to improve your user experience by avoiding the need for you to enter the same information more than once. They also allow us to analyse user behavior to improve the functionality and performance of our website. Because we respect your right to privacy, you can choose not to allow some type of cookies. Review the different cookie category headings below to find out more. For more on how to change our default settings review the section “How to control and delete cookies” below. However, please be aware doing so may impact your experience on the site.
We comply with the EU cookie regulations as introduced in the UK on 25 May 2011 through the EU ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC). There are several types of cookies that can be stored on your device. The following is a non-exhaustive list you can learn more about the different types of cookies in our cookie policy:
"Strictly necessary Cookies". These cookies are always on when you visit us and you can’t turn them off. We call these "strictly necessary Cookies". We use them to make sure our digital services are secure and work correctly.
We also use tracking Cookies to help us understand our visitors better. You can switch these on or off at any time and you can always change your mind. We’ll only use them if you’ve given us your consent.
Also, you should be aware there may be some Cookies from other companies. These "third-party Cookies" might track how you use different websites, including ours. For example, you might get a social media company’s Cookie when you see the option to share something. You can turn them off, but not through us. To know more, you can visit our cookie policy.
On your first visit, we will tell you about the types of cookies we use and ask for consent. You can also delete any cookies that are already on your computer, the "help" section in your browser should provide instructions on how to locate the file or directory that stores cookies.
Further information about cookies can be found at https://ico.org.uk/for-the-public/online/cookies/.
In addition, in order to develop our site in line with customers’ needs, Rooftop uses an analytics and optimization service provided by WT EMEA Acquisitions Ltd (WebTrends) to track and analyse how parts of the site are used. We use this information to help improve the site. The data collected by WebTrends will be stored exclusively for analytical purposes and does not result in any personally identifiable data being collected or stored. WebTrends will send your computer a persistent cookie in order to evaluate your use of this site. WebTrends store the information collected by the persistent cookie on servers in the United States, European Union Member States and other countries. WebTrends may also transfer this information to third parties where required to do so by law, or where such third parties process the information on WebTrends' behalf. WebTrends will use this information for the purpose of evaluating use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. WebTrends will not associate your IP address with any other data held by WebTrends. Rooftop uses WebTrends to optimise this site and improve the service we provide to our visitors. This ensures that the website is fully functional and optimised to create the best possible user experience.
Our website uses Google Analytics, a web-based analytics tool that tracks and reports on the manner in which the website is used to help us to improve it. Google Analytics does this by placing small text files called 'cookies' on your device. The information that the cookies collect, such as the number of visitors to the site, the pages visited and the length of time spent on the site, is aggregated and therefore anonymous. The retention period for data that is associated with cookies, user identifiers or advertising identifiers is 38 Months.
We never gather other information from your disk or computer. We will collect a copy of the data held by the cookie from inclusion in any analysis. We use full SSL protocols when collecting visitor information on secure pages; this ensures that the site’s security is not compromised. We encrypt all transmitted visitor information (even from non-secure pages), so no-one else can read the information we gather. None of the cookies used on our websites collect, record or store personally identifiable information about you.
Our site may contain links to other sites. Such other sites may also make use of their own cookies and will have their own privacy policies. You should carefully review the privacy policies and practices of other sites, as we cannot control or be responsible for their privacy practices. We do not accept any liability for the privacy practices of such third-party websites and your use of such websites is at your own risk.
Rooftop provides support for the administration of these loans to its clients or to intermediaries who hold the primary responsibility for the loans. In some cases, Rooftop is directly responsible for the administration of loans (and may also be responsible for the determination of the management of the overall strategy regarding this loan portfolio) where it acts in the capacity of lender of record. Rooftop however will never offer lending for new loans.
When Rooftop provides services on behalf of its clients, the Client will be the Data Controller and Rooftop will be the Data Processor. When Rooftop collects data for (1) Marketing and (2) products and services related activities provided directly to the borrowers, Rooftop will be the Data Controller.
The lender or owner of your loan is responsible for providing you with a statement setting out how this is achieved (often referred to as a Privacy Notice) in situations where Rooftop is providing services to them. This document constitutes the Privacy Notice where Rooftop act as legal title holder of your loan.
If you require a copy of the Privacy Notice in either case, you should get in touch with the case manager you normally deal with in respect of your loan.
Rooftop does not accept any liability for the privacy practices of the lenders or loan owners that it provides services to. Where you access a Privacy Statement on a third-party website, your use of such websites is at your own risk.
As stated in section 8 you have several rights in relation to your personal information, including the right to request access to your personal information, correct any mistakes on our records, erase or restrict records where they are no longer required, and object to us of personal information based on legitimate business interests.
We will respond to your request in writing, as soon as practicable, and in any event not more than one month after of receipt of your request. In exceptional cases, we may extend this period by two months and we will tell you why. We may request proof of identification to verify your request. To exercise these rights please contact us by using the details below.
In particular, regarding your right of access, you have the right to obtain the following from us, as Data Controller:
If you wish to submit a Data Subject Access request, please email privacy@linkgroup.ie. In your request, it would be helpful to us if you set out as much information that you can concerning your request
including:
What you are seeking to achieve from submitting the request;
What types of personal data does the request apply to; and
Over what period did you provide the personal data to the lender or loan owner or to Rooftop acting on its behalf.
The ICO has provided the below template for access requests that are made to the controller in writing:
"Dear...
I wish to make an access request under Article 15 of the General Data Protection Regulation (GDPR) for a copy of any information you keep about me, on computer or in manual form in relation to..."
When Rooftop is not the Data Controller of your information, all responses to Data Subject Access requests are the responsibility of the lender or loan owner concerned rather than of Rooftop, as it acts as Data Processor on behalf of the Data Controller.
In addition, please note that the rights you have in respect to your personal information are not absolute and are subject to a range of legal conditions and exemptions. If and to the extent a relevant legal condition or exemption applies, we reserve the right not to comply with your request. However, we will let you know why.
Please note that this Notice will be reviewed and may be changed from time to time. Any changes we may make to our Privacy Notice in the future will be posted on this page and the date of revision will be documented at the end of this page.
Questions, comments, complaints and the exercise of your rights regarding this notice and your information are welcomed and should be addressed to the Data Protection Officer by email at ComplianceTeam-Ipswich@bcmglobal.com or by post at Rooftop Mortgages, Crown House, Crown Street, IP1 3HS.
We may update this Privacy Notice from time to time to keep it up to date or when necessary to meet legal requirements. If there are any significant changes to how we use your personal information, we’ll tell you by putting a notice on our website and sending you details by email or post.
Updated: August 2023