At Illumin8 we are committed to protecting and respecting your privacy. We know that you care about how your information is used and shared and we appreciate your trust in us to do that carefully and sensibly.

Illumin8 believes it is important to protect your Personal Data (as defined in the UK GDPR and the Data Protection Act 2018) and we are committed to giving you a personalised service that meets your needs in a way that also protects your privacy. This policy explains how we may collect Personal Data about you. It also explains some of the security measures we take to protect your Personal Data and tells you certain things we will do and not do. You should read this policy in conjunction with the Website Terms.

By accepting our Website Terms, visiting ('the Website') or consent via our 3rd party partner(s), you are accepting and consenting to the practices described in this Privacy Policy.

Brighter Lending Limited T/a Illumin8

• Tempest, Suite 3.1, 3rd Floor, 12 Tithebarn Street, Liverpool, L2 2DT
• Company Number: 12038032
• Registered Office: 17 Duke Street, Formby, Liverpool, L37 4AN
• ICO Registration Number: ZA551095
• FCA Registration Number: 928634

In partnership with:

AMHK Limited T/a Rev X

• Sweeting House, Sweeting Street, Liverpool, L2 4TE
• Company Number: 14129272
• Registered Office: C/O Burton Varley, Suite 3, 2nd Floor, Didsbury House, 748-754 Wilmslow Road, Manchester, M20 2DW
• ICO Registration Number: ZB581042

This policy applies to all personal data we collect in connection with:

• Your use of our website or any application forms
• Your engagement with our services directly or via an introducer
• Communications you have with our staff, support services, or partners
• Referrals we receive from third parties or affiliates on your behalf

This policy is directed at clients, prospective clients, service users, introducers, professional partners, and other third parties whose data we may lawfully process.

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” refers to any action performed on data, including collection, storage, modification, transmission, or deletion.
• “Controller” is the party that determines the purpose and means of processing personal data.
• “Processor” is a third party that processes data on behalf of the controller.
• “Special Category Data” includes sensitive information such as health data or criminal history, which requires additional safeguards.
• “UK GDPR” refers to the retained EU law version of the General Data Protection Regulation applicable in the UK.

We and our partners operate within a regulated environment and are subject to multiple legal and regulatory regimes. These include:

• The Data Protection Act 2018 and the UK GDPR, which define how we handle personal data
• The Solicitors Regulation Authority (SRA) Code of Conduct, when we introduce clients to regulated law firms
• Anti-money laundering legislation and other applicable laws concerning fraud prevention, financial crime, and consumer protection
• We are required to maintain records, conduct due diligence, and uphold client confidentiality while cooperating with law enforcement and regulatory bodies when required.

We collect a range of personal information depending on the services we provide to you, which may include:

• Full name, title, and contact details including phone numbers, email addresses, and home addresses
• Date of birth, National Insurance number, and government-issued identifiers such as driving licence or passport
• Financial and employment information, including income, bank details, expenditure, and credit history
• Special category data (e.g. health information or criminal convictions) only where necessary and with explicit consent
• Technical and digital data such as IP address, device type, browser history, or behavioural analytics when using our website

All data is collected with clear intent and for specific lawful purposes as outlined in the sections below.

Your personal data may be collected from a variety of sources:

• Directly from you when you complete online forms, call our support centre, send emails, or interact with our team
• Through third-party referrals, such as introducers or affiliates who believe our services are suitable for you
• From regulated Credit Reference Agencies (CRAs) such as Equifax, when you give us permission to retrieve your credit report
• Automatically through your use of our website, such as by logging page views or gathering information via cookies and analytics platforms
• From regulatory or legal institutions where your case requires us to retrieve or confirm existing data or history

We only collect data that is relevant, proportionate, and necessary for the services we offer or the obligations we are under.

For us to process your data we have to have a lawful basis to do so. We are relying on the following basis to do so:

• Consent: you have given clear consent for us to process your personal data for a specific purpose.
• Contract: the processing is necessary to obtain copy of your credit reference agency information from Equifax or because you have asked us to take specific steps before entering into a contract with your appointed representative (claims management company and or regulated law firm) managing your motor finance claim.
• Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
• Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.

We have identified these on a lawful basis to assess whether we can, pass your details on to a third party who may assist you with obtaining your credit reference agency information. If we cannot help you or if we wish to continue to market to you with other specific products set out below after our contractual relationship has ended.

• To identify and verify you when you interact with us
• To retrieve and assess your credit reference agency data and history
• To determine the financial products or legal services you may be eligible for
• To communicate clearly with you during the assessment and service delivery process
• To refer you, where appropriate, to FCA- or SRA-regulated firms for further advice or claims management
• To ensure you are not repeatedly introduced to the same providers
• To comply with regulatory duties and conduct fraud or AML checks
• To evaluate and improve our internal processes and customer journey
• If you’d like to understand how the credit reference agencies use and share personal data (including the legitimate interests, they pursue) please read the Credit Reference Agency Information Notice (CRAIN)

We do not engage in unnecessary or excessive processing and always assess the proportionality of using any information we collect.

We will only send marketing communications (by email, SMS, or telephone) where you have provided your informed and specific consent. Any such messages will clearly state who is contacting you, what the purpose is, and how you can opt out.

You may withdraw your marketing consent at any time using:

• The unsubscribe link in our emails
• Direct contact to our support or compliance team
• Account preferences where available

We do not sell or share your personal data with third parties for their own marketing use.

We use cookies on our website to support functionality, improve user experience, and understand site usage. Cookies may:

• Help remember your login details and navigation history
• Support analytics tools like Google Analytics
• Enhance website performance across devices

You can disable cookies in your browser settings, but doing so may impact certain website functionalities.

We do limited profiling so that we can identify your specific car finance information as required. Our panel of Claims Management Companies and SRA regulated Solicitor Firms may carry out their own profiling. To find out what information we hold on you, you can write to us at:

Brighter Lending T/a Illumin8, Tempest, Suite 3.1, 3rd Floor, 12 Tithebarn Street, Liverpool, L2 2DT

Or Email: [email protected]

Yes, we do record calls. Calls and Emails are retained for a period of time and then destroyed in accordance with our Data Retention Policy.

We only share your personal data when it is necessary, proportionate, and lawful to do so. Third parties who may receive your personal data include:

• Credit Reference Agencies (CRAs): To obtain your credit report or verify identity and affordability.
• FCA-Regulated Claims Management Firms: Where appropriate, your information may be passed to regulated claims handlers to explore potential claims on your behalf.
• SRA-Regulated Solicitors: If legal proceedings or legal representation are required, we may refer you to an authorised solicitor with your consent.
• IT and Data Infrastructure Providers: We use secure service providers to support hosting, call recordings, email, customer service platforms, and analytics.
• Law Enforcement and Regulators: Where required by law, we will share your data with relevant authorities including the FCA, SRA, ICO, or HMRC.

We always ensure that any organisation receiving your data has adequate security and data protection measures in place, including appropriate contracts or data processing agreements.

We retain your personal data only for as long as necessary for the purposes for which it was collected or to meet legal, regulatory, or operational needs. Typical retention periods include:

• General enquiries and correspondence: Up to 12 months from last contact
• Client files and applications: 6 years from the last transaction or closure of the case
• Referrals to third parties: 6 years from referral date
• Marketing consents: Maintained until withdrawn

Upon expiry of retention periods, data is securely deleted, anonymised, or destroyed using certified and auditable processes.

You have the following rights under UK GDPR:

• Right to be informed: About how and why we process your data
• Right of access: To receive a copy of your personal data
• Right to rectification: To correct inaccurate or incomplete information
• Right to erasure: To request deletion of data where no longer necessary
• Right to restrict processing: To limit the way your data is used
• Right to data portability: To transfer your data to another provider
• Right to object: To challenge the processing of your data under legitimate interest or direct marketing
• Rights related to automated decision-making: Including the right to request human review

Requests should be submitted to [email protected]. We aim to respond within one month.

Where we use third-party data processors, we ensure that:

• Data is only used under our explicit instructions
• Contracts are in place to guarantee GDPR-level protections
• Security, confidentiality, and breach notification protocols are maintained

In rare cases where your data is transferred outside the UK or EEA (for example, cloud hosting or IT support services), we ensure one or more of the following safeguards apply:

• An adequacy decision has been issued by the UK Government
• Additional technical and organisational controls have been applied

We do not engage in offshore outsourcing of core processing or store personal data outside the UK/EEA without full legal compliance.

If any of your personal data changes or if you believe the data we hold is inaccurate, you may request an update by contacting us. We will verify your identity before processing any corrections and respond within one calendar month.

Your data is stored securely and handled in accordance with data protection best practices. Measures include:

• Encryption of data both at rest and in transit
• Firewalls and intrusion prevention systems
• Two-factor authentication and strict role-based access control
• Physical access restrictions at office locations and data centres
• Regular penetration testing and vulnerability scanning
• Ongoing staff training on data protection and confidentiality
• Wherever possible, we aim to store data in UK-based or EEA-compliant infrastructure.

Our services are not intended for or directed at individuals under the age of 18. We do not knowingly collect data relating to minors. If you believe we have inadvertently collected such data, please contact us immediately.

Our website may contain links to other websites or digital services operated by third parties. This policy does not cover those external sites. We recommend that you review the privacy policies of any site you visit.

Illuminate does not buy or sell personal data under any circumstances. We consider your data a responsibility, not an asset. Any transfers of data to third parties are limited to service delivery, compliance, or regulated introductions.

If you are dissatisfied with how we handle your personal data, you should first raise your concerns with our Data Protection Officer. We will investigate and respond promptly.

If you remain unsatisfied, you have the right to lodge a complaint with:

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: www.ico.org.uk

Telephone: 0303 123 1113

We may update this Privacy Policy from time to time to reflect changes in law, regulation, or service delivery. When we do, we will revise the “Effective Date” at the top of the policy. Where appropriate, we will notify you directly of material changes.

We encourage you to periodically review this document, so you remain informed about how we protect your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, you can contact us at:

Write to us: Brighter Lending T/a Illumin8, Tempest, Suite 3.1, 3rd Floor, 12 Tithebarn Street, Liverpool, L2 2DT

Or Email: [email protected]