"More than worth the monthly fee" — Chris

Privacy Policy

1. Who we are

1.1 Wollit is the trading name of Wollit Ltd, a company registered in England and Wales (company number 10687003). We are registered with the Information Commissioner's Office (ICO) under registration number ZA554988.

1.2 Our registered address is: Wollit Ltd, 35 Ballards Lane, London, N3 1XW.

1.3 We are a data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). This Privacy Policy explains how we collect, use, share and protect your personal data when you use the Wollit application (the "App"), our website at wollit.com (the "Website"), and the Wollit credit health toolkit and its features (together, the "Services").

1.4 Our Services are intended for individuals aged 18 or over. We do not knowingly collect personal data from children.

2. Personal data we collect

2.1 Information you provide to us

When you create an account and use our Services, you may provide us with:

(a) your name, email address, date of birth and home address;

(b) rental payment details and tenancy information; and

(c) communications with our support team (which may be recorded for quality and training purposes under our legitimate interests).

2.1A Which data is required?

The following data is required to create and maintain your Wollit account:

(a) your name, email address, date of birth and home address — required for account creation and identity purposes;

(b) payment details — required to collect your subscription payments.

The following data is optional:

(c) bank transaction data — required only if you wish to use bank-connected features of the Services (such as rent reporting, Tenant Passport, Affordability Boost, Credit Wins and personalised Olli features). By connecting your bank account, you agree to the processing described in section 2.2. If you do not connect your bank account, you can still subscribe to Wollit and use payment reporting, Credit Smart and general Olli features;

(d) support communications — optional, but without them we may not be able to resolve your query.

2.2 Bank transaction data

2.2.1 Certain features of the Services — including rent reporting, Tenant Passport, Affordability Boost, Credit Wins and certain personalised features of Olli AI — require you to connect your bank account. You do so through our open banking partner, TrueLayer Limited. TrueLayer is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (Firm Reference Number: 793171) to provide account information services. TrueLayer operates in accordance with UK data protection law and its own privacy policy (available at truelayer.com/privacy). Connecting your bank account is not a requirement to subscribe to Wollit; it is required only if you wish to use the features listed above.

2.2.2 With your permission, TrueLayer securely transmits your bank transaction data to us. This data includes transaction descriptions, amounts, dates, and your account number and sort code. We do not receive your online banking credentials. We have read-only access to your account information — we cannot move money or make payments on your behalf.

2.2.3 We use your bank transaction data to:

(a) provide informational features within the App, including Affordability Boost (which analyses your spending patterns), Credit Wins (which identifies which of your payments are building credit) and related financial insights;

(b) identify and verify your rent payments for reporting to credit reference agencies, where you have opted into rent reporting (see section 2.4);

(d) provide personalised financial insights through Olli (see section 2.6).

2.2.4 When you connect your bank account, your transaction data may be processed using artificial intelligence to provide and improve some or all of the bank-connected features of the Services. This includes — but is not limited to — identifying and categorising transactions, detecting rent payments, analysing spending patterns, generating financial insights and producing your Tenant Passport.

(a) This processing is carried out by Anthropic PBC ("Anthropic"), the provider of the Claude AI, acting as our data processor. We transmit transaction descriptions, amounts and dates to Anthropic. We do not separately transmit your name, account number, sort code or other account-level identifiers, although such information may incidentally appear within transaction descriptions.

(b) Anthropic processes this data on our behalf under a Data Processing Addendum which includes the UK International Data Transfer Addendum. Anthropic does not use your data to train its AI models. Further information is available at anthropic.com/privacy.

2.2.5 By connecting your bank account, you agree to the processing described in this section. If you do not wish your data to be processed in this way, you may choose not to connect your bank account. You may disconnect your bank account at any time through the App. This will disable all bank-connected features and stop further processing of your transaction data. Disconnection does not affect the lawfulness of processing carried out beforehand.

2.3 Payment reporting

2.3.1 When you subscribe to Wollit, we provide you with an interest-free loan which you repay through monthly subscription payments. Every payment you make is reported to Experian Ltd, Equifax Ltd and TransUnion. This reporting is a core part of the service and begins automatically when you subscribe. We do not receive credit reference data from the credit reference agencies — our relationship with them is limited to reporting your payment data.

2.3.2 Both on-time and missed payments are reported to credit reference agencies. A missed or late payment will be recorded on your credit file and may negatively affect your ability to obtain credit in the future. Missed payment data may remain on your credit file for up to six years.

2.3.3 Experian, Equifax and TransUnion will add your payment information to the credit reference data they hold about you and use it as controllers in accordance with their own fair processing notices:

Experian: www.experian.co.uk/crain
Equifax: www.equifax.co.uk/crain
TransUnion: www.transunion.co.uk/legal/privacy-centre

2.3.4 The credit reference agencies may continue to hold and use your payment data after you cancel your Wollit subscription.

2.4 Rent reporting

2.4.1 Rent reporting is an optional feature. By connecting your bank account and setting up rent reporting, you agree that your rental payment history will be reported to Experian Ltd and Equifax Ltd.

2.4.2 We identify and verify rent payments from your bank transaction data for the purposes of credit reporting. This may involve AI processing as described in section 2.2.4. The lawful basis is Article 6(1)(b) UK GDPR (performance of a contract).

2.4.3 Both Experian and Equifax may continue to hold and use your rent payment data after you cancel your Wollit subscription or disable rent reporting.

2.5 Tenant Passport

2.5.1 The Tenant Passport is an optional feature that generates an estimated summary of your income, affordability, rent payment history and financial reliability, based on verified bank data.

2.5.2 When you generate a Tenant Passport, your bank transactions from the preceding six months are processed using AI as described in section 2.2.4 to identify income, rent, recurring commitments and other relevant financial patterns. Only estimated summary figures appear on your Passport.

2.5.3 The lawful basis for this processing is performance of a contract (Article 6(1)(b) UK GDPR). You are not required to generate a Tenant Passport in order to use the Services.

2.5.4 The Tenant Passport produces a point-in-time snapshot that is valid for 30 days. After expiry, a new Passport must be generated. The figures on your Passport are estimates derived from your bank transaction data — they do not constitute a formal affordability assessment or financial guarantee.

2.5.5 Landlords or other third parties to whom you choose to provide your Passport can verify its authenticity using the Passport ID, but cannot access your underlying financial data through us. Any decisions made by a landlord or agent on the basis of your Passport are their own and are not made by Wollit.

2.5.6 If you believe any information on your Tenant Passport is inaccurate, you may regenerate it or contact [email protected].

2.6 Olli — AI assistant

2.6.1 Olli is Wollit's AI-powered assistant. Olli can answer general questions about credit, your Wollit account and financial concepts without accessing your bank data.

2.6.2 Certain Olli features — such as personalised spending insights, subscription analysis and income summaries — require access to your bank transaction data. These features are available to you when you connect your bank account and are processed in accordance with section 2.2.4. If you have not connected your bank account, you may still use Olli's general features.

2.6.3 Olli provides information and insights for your personal use only. It does not make decisions on your behalf, and its outputs are not shared with any third party.

2.7 Usage and technical data

When you use the App or Website, we automatically collect:

(a) pages visited, features used and interactions within the App;

(b) device type, IP address, browser type and operating system; and

2.8 Data from third parties

We may receive data about you from TrueLayer — your bank transaction data via open banking — as described in section 2.2 above.

3. How and why we use your data

3.1 To provide our Services (lawful basis: performance of a contract — Article 6(1)(b) UK GDPR)

(a) Setting up and managing your Wollit account;

(b) processing your subscription payments via Stripe;

(d) providing bank-connected features (see section 2.2.4);

(e) identifying and verifying rent payments for credit reporting (where you have opted into rent reporting);

(f) providing customer support via Intercom.

3.2 With your consent (lawful basis: consent — Article 6(1)(a) UK GDPR)

(a) sending you marketing communications about Wollit products and features.

You may withdraw consent at any time by clicking "Unsubscribe" in any marketing email. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

3.3 For our legitimate interests (lawful basis: legitimate interests — Article 6(1)(f) UK GDPR)

We process some data where necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This includes:

(a) fraud prevention and security monitoring;

(b) analytics and product improvement (using aggregated or anonymised data);

(d) managing and improving platform performance.

We have conducted legitimate interest assessments for each of these purposes and concluded that the processing is proportionate and does not override your rights. Copies of these assessments are available on request.

You have the right to object to processing based on legitimate interests — see section 7.

3.4 To comply with legal obligations (lawful basis: legal obligation — Article 6(1)(c) UK GDPR)

We process your data where required by law, including responding to lawful requests from law enforcement or the courts.

4. Who we share your data with

We do not sell your personal data. We share it only where necessary to provide our Services or where required by law.

4.1 Service providers (data processors)

The following organisations process personal data on our behalf, under written data processing agreements:

Anthropic PBC — AI processing for bank-connected features (USA; UK IDTA)
TrueLayer Limited — Open banking data transmission (UK; N/A (UK))
Stripe Inc — Subscription payment processing (USA; UK-US Data Bridge (DPF))
Intercom Inc — Customer support and messaging (USA; UK-US Data Bridge (DPF))
Twilio Inc (including SendGrid) — Transactional email and SMS (USA; UK-US Data Bridge (DPF))
Customer.io — Marketing automation and lifecycle emails (USA; UK-US Data Bridge (DPF))
Segment (Twilio Inc) — Customer data platform (USA; UK-US Data Bridge (DPF))
Mixpanel Inc — Product analytics (USA; UK-US Data Bridge (DPF))
Google LLC — Website analytics (Google Analytics, Google Tag Manager) (USA; UK-US Data Bridge (DPF))

A current list of our sub-processors is available on request by contacting [email protected].

4.2 Advertising and marketing platforms

We use the following platforms for advertising measurement and campaign optimisation. They may receive data about your interactions with the Website and App (such as events and anonymised identifiers) via Segment. These platforms act as independent controllers for their own advertising purposes:

Meta Platforms Inc (Facebook / Instagram)
TikTok (ByteDance Ltd)
Google Ads (Google LLC)
AppsFlyer Ltd

We do not share your bank transaction data, financial data or sensitive personal data with advertising platforms. You can opt out of personalised advertising through your device settings or the relevant platform's privacy controls.

4.3 Other third-party services

TrustPilot A/S — we display TrustPilot review widgets on our Website. TrustPilot may collect limited data (such as your IP address) when the widget loads. TrustPilot acts as an independent controller for its own purposes.

4.4 Credit reference agencies

We share your payment data with Experian, Equifax and TransUnion for the purposes of payment reporting (see section 2.3) and, where applicable, rent reporting (see section 2.4). The credit reference agencies act as independent controllers. For further information, see their CRAIN notices:

Experian: www.experian.co.uk/crain
Equifax: www.equifax.co.uk/crain
TransUnion: www.transunion.co.uk/legal/privacy-centre

4.5 Other disclosures

We may also share your data:

(a) with professional advisers under confidentiality obligations;

(b) in connection with a sale, merger or acquisition of Wollit Ltd; and

5. International data transfers

5.1 Some of our service providers are based outside the United Kingdom, including in the United States. Where we transfer your personal data outside the UK, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. These safeguards include:

(a) the UK-US Data Bridge, where the receiving organisation is certified under the EU-US Data Privacy Framework and has opted into the UK Extension;

(b) the UK International Data Transfer Agreement (IDTA);

(d) transfers to countries that have received a UK adequacy decision.

5.2 You may request details of the specific safeguards applied to any particular transfer by contacting [email protected].

6. Automated processing and AI

6.1 We use automated processing, including artificial intelligence, as described in section 2.2.4. We currently use this in the following areas:

(a) automated analysis of bank transaction data to identify income patterns, categorise spending and detect rent payments;

(b) AI-powered generation of your Tenant Passport summary;

(d) affordability analysis using algorithmic models.

6.2 Some features analyse your financial data to generate a profile of your spending and affordability. These outputs are for your personal use only and are not used to make automated decisions about you.

6.3 If you have concerns about any output produced by automated processing, you may contact [email protected].

6.4 The scope of AI processing may change as we develop the Services. Where we introduce material changes to how your data is processed, we will notify you in accordance with section 11.2.

7. Your rights

7.1 Under UK GDPR you have the following rights:

(a) Access — request a copy of the personal data we hold about you;

(b) Rectification — ask us to correct inaccurate or incomplete data;

(d) Restriction — ask us to limit how we use your data;

(e) Objection — object to processing based on legitimate interests, or to processing for direct marketing;

(f) Data portability — receive your data in a structured, commonly used, machine-readable format;

(g) Withdraw consent — where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing; and

(h) Human review — request human review of any solely automated decision that significantly affects you.

7.2 To exercise any of these rights, contact [email protected]. We will respond within one month. In complex cases, we may extend this by a further two months, in which case we will inform you within the initial one-month period.

7.3 These rights are not absolute and may be subject to exemptions under applicable law. In particular, we cannot erase payment data that has been reported to credit reference agencies where retention is necessary for the exercise or defence of legal claims or to comply with our regulatory obligations.

7.4 You also have the right to lodge a complaint with the ICO — see section 12.

8. How long we keep your data

Account and transaction data — Duration of your subscription plus 6 years from the date your account is closed
Tenant Passport — Summarised output retained while your account is active and for 30 days after Passport expiry
AI processing inputs — Wollit does not retain a separate copy of data sent to Anthropic for AI processing. Anthropic may retain data sent via its API for up to 30 days for safety and abuse monitoring, after which it is automatically deleted. Anthropic does not use your data for model training.
Marketing data — Until you unsubscribe or withdraw consent
Support communications — 3 years from your last support interaction

After the applicable period, data is securely deleted or irreversibly anonymised.

9. Cookies and tracking

9.1 We use cookies and similar tracking technologies on our Website. These include:

(a) Strictly necessary cookies — required for the Website to function (e.g. cookie preference settings, security cookies). These do not require your consent.

(b) Analytics cookies — used to understand how visitors use the Website (Google Analytics, Mixpanel). Placed only with your consent.

(c) Marketing cookies — used to measure and optimise advertising campaigns (Meta Pixel, TikTok Pixel, Google Ads). Placed only with your consent.

9.2 You can manage your cookie preferences through our cookie banner when you first visit the Website. You can revisit your preferences at any time using the cookie settings link in the Website footer.

9.3 A full list of the cookies we use is available on request by contacting [email protected].

10. Security

10.1 We implement appropriate technical and organisational measures to protect your personal data, including:

(a) encryption in transit (TLS 1.2 or above) and at rest;

(b) access controls and multi-factor authentication for internal systems;

(d) data processing agreements with all sub-processors that require equivalent security standards; and

(e) data minimisation in AI processing (see section 2.2.4).

10.2 In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 UK GDPR.

10.3 If you believe your data has been compromised, contact [email protected] immediately.

11. Changes to this policy

11.1 We may update this Privacy Policy from time to time to reflect changes to our operations, Services or legal or regulatory requirements.

11.2 Where changes are material — including changes to how we process your bank transaction data or share data with third parties — we will notify you via the App or by email before they take effect.

11.3 The "last updated" date at the top of this policy always reflects the most recent version.

12. Contact us and complaints

12.1 For data protection queries or to exercise your rights, please contact our Data Protection Lead:

Email: [email protected]
Post: Wollit Ltd, 35 Ballards Lane, London, N3 1XW

For general support queries, contact [email protected].

12.2 If you are dissatisfied with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO):

Website: www.ico.org.uk
Telephone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12.3 We would always appreciate the opportunity to address your concerns before you contact the ICO.