Last updated April 2026

1. ABOUT THE POLICY

This Privacy Policy explains how Loans 2 Go Limited t/a Cactus Loans (“we”, “us”, “our”) collects, uses, discloses and safeguards personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and applicable Financial Conduct Authority (“FCA”) rules.

For the purposes of data protection legislation, Loans 2 Go Limited is the data controller of your (“customer”, “applicant”, “you”) personal data. “Personal data” means any information which, alone or in combination with other information available to us, identifies you or relates to an identifiable individual.

We are committed to ensuring that your personal data is handled lawfully, fairly and transparently, and that it is kept secure at all times.

2. ABOUT US

Loans 2 Go Limited is a company incorporated in England and Wales and is registered as a data controller with the Information Commissioner’s Office, ICO Registration Number: Z720743X.

If you have any questions regarding this policy, or wish to exercise your data protection rights, request access to or correction of your personal data, or raise a complaint, you may contact our Data Protection Officer using the details set out in section 27 of this privacy policy.

3. LAWFUL BASES FOR PROCESSING

We will only process your personal data where we have a lawful basis to do so. These lawful bases include where:

• processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract,
• processing is necessary to comply with a legal obligation to which we are subject,
• processing is necessary for our legitimate interests (provided that such interests are not overridden by your fundamental rights and freedoms),
• you have given your consent, or processing is necessary for reasons of substantial public interest.
• we rely on legitimate interests; we will identify the relevant interest and ensure that such processing does not result in an unjustified adverse impact on your rights.

You have the right to object to processing carried out on the basis of our legitimate interests. Further information is set out in YOUR DATA PROTECTION RIGHTS section of this policy.

4. SPECIAL CATEGORY

Certain categories of personal data are afforded enhanced protection under data protection legislation, including (but not limited to) data relating to health, vulnerability, and criminal convictions or offences.

We will only process special category data where:

• you have given explicit consent, or
• processing is otherwise permitted by law, including where it is necessary:

• for reasons of substantial public interest, or
• to establish, exercise or defend legal claims.

5. CATEGORIES OF PERSONAL DATA WE COLLECT

When you apply for, or hold, a loan agreement with us, we may collect and process the following categories of personal data:

5.1 Children’s Data Statement

We do not knowingly collect or process personal data relating to children.

6. HOW WE COLLECT YOUR PERSONAL DATA

We collect your personal data through a variety of channels, including directly from you and from third parties, in connection with your use of our products and services. Some information is required by law or contract; failure to provide mandatory information may prevent us from entering into or continuing an agreement with you.

6.1 Data Collected Directly from You

We collect personal data directly from you when you:

• apply for our products or services,
• communicate with us by telephone, email, post, webchat, or other digital means (including where calls are recorded and internal notes are made),
• use our websites, mobile applications, social media platforms or other online services, and
• provide information to us in connection with the administration of your agreement.

6.2 Data Collected from Third Parties

We may also collect personal data about you from third parties, including:

• organisations that introduce you to us, including price comparison websites and credit intermediaries,
• credit reference agencies, including Experian, TransUnion and Equifax,
• fraud prevention agencies, including CIFAS,
• government departments, regulators and dispute resolution bodies, including the Financial Conduct Authority, the Information Commissioner’s Office and the Financial Ombudsman Service,
• social media platforms and technology providers (for example, where you interact with our advertisements),
• publicly available sources, including the Electoral Register, Companies House, and publicly accessible media and social networking platforms, for the purposes of verification and due diligence,
• market research organisations and marketing list providers, who may contact you on our behalf to obtain feedback, opinions and survey responses, and may aggregate such data with information obtained from other sources for analytical purposes, and
• organisations you have authorised to share your personal data with us, including via Open Banking or similar data-sharing frameworks.
• automatically through cookies and similar tracking technologies. Further information is provided in our Cookie Policy.

Where you provide personal data relating to third parties (for example, partner, spouse, dependants), you confirm that you have informed such individuals and obtained their consent to the disclosure of their personal data to us.

7. MONITORING AND RECORDING OF COMMUNICATIONS

Subject to applicable laws and regulatory requirements, we may monitor and record telephone calls, emails, text messages, social media communications, webchat interactions and other communications relating to your dealings with us.

Such monitoring and recording may be undertaken for the purposes of:

• compliance with legal and regulatory obligations,
• prevention and detection of fraud and other criminal activity,
• protection of the security and integrity of our communications systems and procedures,
• quality assurance, complaint handling, and staff training, and
• establishing and maintaining an accurate record of communications and transactions.

Where you enter into an agreement with us, we may monitor activity on your account where necessary for these purposes. Such processing is carried out in accordance with our legal obligations and/or our legitimate interests.

8. USE OF YOUR PERSONAL DATA

We process your personal data for the purposes set out below and in reliance on one or more of the lawful bases permitted under data protection legislation.

8.1 Processing Necessary for the Performance of a Contract

We will process your personal data where it is necessary for the performance of a contract with you, for taking steps at your request prior to entering into a contract, or to determine whether to enter into an agreement with you. This includes processing undertaken for the purposes of:

• verifying your identity and eligibility,
• assessing applications and deciding whether to enter into an agreement with you,
• administering any agreement entered into between us, including account management, customer communications, tracing your whereabouts, and debt recovery activities,
• providing products and services under your agreement and keeping you informed of account status,
• managing and responding to complaints, and
• notifying you of changes to contractual documentation.

8.2 Processing Based on Legitimate Interests

We will process your personal data where it is necessary for our legitimate interests provided that such interests are not overridden by your fundamental rights. Such purposes include:

• enhancing, tailoring and personalising your customer experience,
• identifying you when you contact us and communicating with you,
• monitoring communications and account activity,
• preventing, detecting and investigating crime and financial crime, including fraud, money laundering and terrorist financing,
• improving, testing and developing our product, services, systems and models,
• protecting the security and integrity of our systems, communications and procedures, and undertaking quality control and staff training,
• conducting market research, analytics and statistical analysis to improve our products and services,
• verifying the accuracy of data, we hold about you and developing a better understanding of your needs,
• contacting you to invite participation in customer satisfaction surveys and market research, and analysing survey responses,
• tracing your whereabouts to contact you regarding your agreement and to recover outstanding debts,
• creating and maintaining customer profiles for the purposes of tailoring products, services and marketing communications,
• sending marketing communications, subject to your preferences and applicable law,
• conducting renewal propensity analysis to provide timely and relevant renewal communications,
• corporate governance, accounting, auditing, system testing and internal business management activities,
• administering our websites and internal IT systems, including testing, troubleshooting and statistical analysis,
• ensuring network and information security and protecting against unauthorised access, loss or damage,
• improving the efficiency, accuracy and integrity of our databases and record-keeping systems,
• anonymising personal data and using anonymised data for statistical and analytical purposes,
• supporting any corporate restructure, reorganisation or sale of our business or services,
• enforcing or defending our contractual and legal rights, including in connection with legal proceedings, and
• general administrative functions, including managing queries, complaints and claims and issuing service-related communications.

8.3 Processing Necessary for Compliance with Legal Obligations

We will process your personal data where necessary to comply with our legal and regulatory obligations, including for the purposes of:

• enabling you to exercise your statutory rights,
• verifying your identity,
• establishing, exercising or defending legal claims,
• preventing, detecting and investigating crime,
• conducting creditworthiness, fraud prevention and anti-money laundering checks,
• complying with FCA and other regulatory requirements, including processing special category data where required (for example, in relation to vulnerability or health-related circumstances impacting your account), and
• monitoring communications activity in accordance with legal and regulatory obligations.

8.4 Processing Based on Consent

Where required, we will rely on your consent to process your personal data, including:

• where you request or authorise disclosure of your personal data to third parties (for example, claims management companies or other legal or professional representatives),
• where you request the processing of special category personal data (such as health-related information), and
• for the delivery of direct marketing communications by us or by third parties identified to you at the point of consent.

You may withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal. Please note that withdrawal of consent may limit our ability to provide certain products or services to you.

9. USE OF YOUR SPECIAL CATEGORY DATA

Where collected, Special Category Data is used only where strictly necessary and proportionate, including for the following purposes:

• to assess your eligibility, suitability, or affordability for products or services,
• to identify and support customers in vulnerable circumstances, ensuring appropriate treatment and outcomes,
• to meet legal and regulatory obligations, including fraud prevention, safeguarding, and compliance requirements,
• to prevent, detect, and investigate financial crime or unlawful activity,
• to support the establishment, exercise or defence of legal claims.

Access to such data is restricted to authorised personnel on a strict need-to-know basis.

10. AUTOMATED DECISION-MAKING AND PROFILING

Automated decision-making and profiling are used for the purposes of assessing affordability, credit risk and the prevention and detection of fraud. The logic applied may include income and expenditure modelling, credit scoring methodologies, fraud rule sets, and behavioural scoring, including analysis of how existing agreements are managed, such as arrears history and indicators of financial difficulty. Searches conducted against publicly available data sources and credit reference agencies may be recorded on your credit file.

The outcome of automated processing may result in your application being approved, declined or referred for further manual assessment. Where applicable, you have the right to obtain an explanation of the decision, challenge an automated decision, express your point of view and to request human intervention.

11. OPEN BANKING

Open Banking provides a secure framework that enables you to permit authorised third-party providers to access your bank or building society account information.

Where you select to use Open Banking in connection with your application, your banking data will be accessed through our authorised Open Banking partner, Perfect Data Solutions Limited (“PDS”) (trading as LendingMetrics), solely for the purposes of assessing affordability and lending suitability. All data transmitted via Open Banking is encrypted and is retained by our Open Banking partner for a period of up to 90 days in accordance with FCA and Open Banking standards.

By proceeding with your loan application via our website, you expressly consent to the sharing of your personal, contact and application details with PDS. During the application process, you will be securely redirected to PDS’s portal in order to grant access to your bank or building society account transaction data. Upon receipt, your transaction information will be returned to us in the form of a completed search to enable us to continue assessing your application.

You may contact Perfect Data Solutions Limited (LendingMetrics) at:

1650 Parkway, Whiteley, Fareham, Hampshire, PO15 7AH

to request details of the personal data they hold about you. A statutory fee may be payable. Further information regarding PDS, including regulatory status, is available via their published materials.

12. DATA SHARING

We may act as both a credit broker and a direct lender. In order to provide you with the products and services you request, it may be necessary to disclose your personal data to third parties. We will only disclose your personal data where we have a lawful basis for doing so, including where you have provided consent, where we have a legitimate business interest, or where we are required to do so by law.

Subject to applicable data protection legislation, we may share your personal data with:

• credit reference agencies, including Experian, TransUnion and Equifax,
• fraud prevention agencies, including CIFAS,
• payment service providers (such as Acquired, Visa and MasterCard) for transaction processing, dispute resolution and statistical analysis,
• legal, professional and financial advisers, including auditors,
• open Banking partners and affordability and income verification service providers, including Perfect Data Solutions Limited,
• government departments, regulators and dispute resolution bodies, including the Financial Conduct Authority, the Information Commissioner’s Office and the Financial Ombudsman Service,
• law enforcement agencies for the prevention, detection and investigation of crime,
• courts and tribunals in the United Kingdom or elsewhere, where required for legal proceedings or the administration of justice,
• third parties involved in the restructuring, reorganisation, sale, merger or acquisition of some or all of our business or assets,
• third-party debt collection agencies engaged to recover sums owed to us,
• any third party to whom we sell or assign your debt, in which case you will be notified and that third party will become the data controller of your personal data,
• service providers and professional advisers acting on our behalf, including IT service providers, hosting providers, analytics providers, agents and subcontractors,
• market research organisations and marketing list providers, who may contact you on our behalf to obtain feedback, opinions and survey responses, and may aggregate such data with information obtained from other sources for analytical purposes,
• Hotjar Ltd, a third‑party analytics provider, for the purpose of understanding and improving user experience on our website. Hotjar collects behavioural and technical data (such as device information, pages visited, clicks, scroll depth and session recordings) in accordance with its own Privacy Policy, and processes this data as our data processor under an appropriate Data Processing Agreement,
• organisations that introduce you to us, including credit intermediaries,
• organisations that we introduce you to, including credit intermediaries and lenders,
• organisations you have authorised to share your personal data with us, including via Open Banking or similar data-sharing frameworks,
• carefully selected third‑party partners for research and development purposes, including to help improve, test and develop our products, services, systems and models, ensuring such processing is carried out in accordance with applicable data protection legislation and under appropriate contractual safeguards,
• any other third party where we have a lawful basis for disclosure.

All disclosures of personal data are governed by appropriate contractual, technical and organisational safeguards to ensure the security and confidentiality of your personal data.

13. FRAUD PREVENTION AGENCIES

Before providing products or services to you, we are required to verify your identity and may undertake fraud prevention checks at the application stage and throughout the duration of our relationship with you.

We may share your personal data with fraud prevention agencies (“FPA”), including CIFAS, and may receive information about you from such agencies. We and FPAs will process your personal data where necessary to comply with legal obligations and/or for our legitimate interests in preventing, detecting and investigating fraud, money laundering and other financial crime.

We use personal data obtained from you and from FPAs to:

• verify and confirm your identity,
• prevent, detect and investigate fraud and money laundering,
• perform contractual obligations, and
• support law enforcement agencies in the prevention, detection, investigation and prosecution of criminal activity.

If we or an FPA determine that there is a potential fraud risk, we may refuse to provide products or services. Fraud markers may be retained by FPAs for a period of up to six (6) years.

The personal data processed for fraud prevention purposes may include:

• name, date of birth and residential address (including address history),
• contact details,
• financial information,
• employment details,
• information indicating whether you may have been a victim of fraud,
• device and technical identifiers, including IP address, and
• information derived from automated fraud prevention decisioning.

14. CREDIT REFERENCE AGENCIES

We conduct creditworthiness, affordability and identity checks when you apply for a product or service with us. These checks are carried out using Credit Reference Agencies (“CRA”).

We will share personal data with CRAs and CRAs will provide us with personal data about you, including:

• name, date of birth and residential address,
• details of your credit applications and shared credit commitments,
• financial history and current financial position, and
• fraud prevention and financial crime information.

We use CRA data to:

• assess your affordability and creditworthiness,
• verify the accuracy of information you provide,
• prevent and detect financial crime,
• manage your accounts, and
• trace and recover debts

We will share details of your account conduct with CRAs, including account balances, repayment history, defaults and settlements. CRAs may share this information with other organisations for credit assessment purposes.

When we make a search with a CRA, a record of that search will be left on your credit file and may be visible to other lenders.

Detailed information about the CRAs including the categories of personal data they hold, how they use and share personal information, applicable data retention periods, and your data protection rights in relation to the CRAs, is available on their respective websites. The CRAs have jointly produced a document known as the Credit Reference Agency Information Notice (“CRAIN”). This document is published by each of the three CRAs and accessing it via any of their websites will direct you to the same CRAIN document.

Credit reference agencies:

• Transunion – transunion.co.uk/crain
• Equifax – https://www.equifax.co.uk/privacy-hub/crain
• Experian – experian.co.uk/crain

15. CREDIT BROKERS

We may act as both a credit broker and a direct lender. Where relevant, we may share your personal data with carefully selected, authorised credit brokers and lenders in order to provide information about products and services that may be of interest to you. Each broker or lender will process your personal data in accordance with their own privacy policies, which you should review carefully below.

T Dot UK Limited https://t.uk/privacy-policy/

16. INTERNATIONAL TRANSFERS

 We utilise cloud and productivity services provided by Microsoft Corporation, with data primarily hosted within UK and European Economic Area (EEA) data centres. Where data processed via Microsoft services is transferred outside the UK or EEA, such transfers are protected by appropriate safeguards. Where a transfer outside the UK is necessary to comply with a legal or contractual obligation or to use trusted service providers, we will ensure that appropriate safeguards are in place in accordance with UK GDPR and the Data Protection Act 2018. Such safeguards may include transfers to countries subject to UK adequacy regulations, standard contractual clauses and appropriate technical and organisational security measures to protect your personal data.

17. DATA RETENTION

We will retain personal data only for as long as it is reasonably necessary to fulfil the purposes for which it was collected and processed. This includes, without limitation, the purposes of complying with applicable legal, regulatory, accounting, audit, and reporting obligations. Retention periods are established by reference to the nature and sensitivity of the personal data, the purposes for which it is processed, and the statutory, contractual, and regulatory requirements to which we are subject. Once personal data is no longer required for these purposes, it will be securely deleted, anonymised, or otherwise disposed of in accordance with our data retention and destruction policies. Similarly, Special Category Data is retained for no longer than is strictly necessary for the purposes for which it was collected.

17.1 Customers

Where you are a customer, we will generally retain your personal data for a period of six (6) years following the termination or closure of your agreement, whether the agreement has been settled in full by you or has been concluded following a default. This retention period is intended to enable us to meet our legal and regulatory obligations and to respond appropriately to any subsequent enquiries, complaints, claims, legal proceedings, or disputes that may arise. In certain circumstances, we may retain specific categories of data for a longer period where required or permitted by law.

17.2 Applicants

Where you are an applicant and your application does not result in the formation of an agreement, we will generally retain your personal data for a period of twelve (12) months following the completion of our review of your application. This allows us to address any follow-up enquiries, complaints, claims, or disputes and to meet relevant regulatory requirements.

17.3 Leads

Where your personal data is reviewed in connection with a potential lead, but the lead is not purchased or progressed, we will generally retain your personal data for a period of six (6) months. During this period, the data may be used for internal analytical, reporting, and quality assurance purposes, after which it will be securely deleted, anonymised, or otherwise disposed of in accordance with our retention policies.

We may retain personal data including special category data for a longer or shorter period where:

• we are required to do so by law,
• you exercise your right to erasure (where applicable) and we are not required to retain the data for lawful purposes, or
• law permits retention for an indefinite period, provided that appropriate safeguards are in place.

18. RECORD OF PROCESSING & ACCOUNTABILITY STATEMENT

We maintain detailed records of our processing activities as required under UK GDPR and FCA SYSC record‑keeping rules.

19. DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

We conduct Data Protection Impact Assessments (DPIAs) whenever our processing is likely to result in a high risk to individuals’ rights and freedoms, in accordance with Article 35 of the UK GDPR and ICO guidance.

20. DATA ANONYMISATION AND AGGREGATION

We may convert your personal data into anonymised and/or aggregated data such that it can no longer be used to identify you. Anonymised and aggregated data does not constitute personal data for the purposes of data protection legislation. We may use and share such data for statistical analysis, research, reporting and other legitimate business purposes.

21. MARKETING 

We may use your personal data to provide you with information about products, services and offers that may be of interest to you. You will only receive marketing communications where you have provided your consent. Consent is obtained and recorded separately for each communication channel, including email, SMS and telephone calls. 

We do not rely on soft opt-in exemptions for existing customers. All marketing communications are sent solely on the basis of prior consent.

You may withdraw your consent at any time by using the unsubscribe functionality in any marketing communication or by contacting us directly using the details set out in the CONTACT US section of this privacy policy.

Upon withdrawal, you will be removed from future marketing campaigns.

Any survey information you provide will be processed in accordance with this privacy policy and treated with the same level of care as other personal data.

22. YOUR DATA PROTECTION RIGHTS

Under the UK GDPR and the Data Protection Act 2018, you have a number of rights in relation to your personal data. These rights do not apply in all circumstances and may be subject to legal limitations.

You have the right to:

• be informed about how your personal data is collected and used,
• access your personal data, including by making a subject access request,
• rectify inaccurate or incomplete personal data,
• request erasure of your personal data (the “right to be forgotten”), subject to lawful grounds for retention,
• restrict processing of your personal data in certain circumstances,
• data portability, to receive certain personal data in a structured, commonly used and machine-readable format, or to have it transferred to another controller where technically feasible,
• object to processing based on legitimate interests or for direct marketing purposes,
• rights in relation to automated decision-making and profiling, including the right to request human intervention and to challenge decisions, and
• withdraw consent at any time where consent is the lawful basis for processing.

To exercise any of your rights, or to obtain further information, please contact us using the details set out in the CONTACT US of this privacy policy. We may require verification of your identity before responding to your request.

23. COOKIES

We use cookies and similar technologies to distinguish you from other users of our website and to enhance your browsing experience. Cookies enable core website functionality, including security, network management and accessibility. We also use non-essential cookies, including analytical and performance cookies, where you have provided your consent.

We use trusted third-party analytics providers to collect aggregated and anonymised information about website usage. Further information regarding the cookies we use, and how you may manage your preferences, is available in our Cookies Policy. 

24. SECURITY OF YOUR PERSONAL DATA

We implement appropriate technical and organisational measures to safeguard your personal data, including encryption, access controls, monitoring and security testing. Where a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours and, where required, notify affected individuals without undue delay.

25. COMPLAINTS

If you have any concerns regarding our processing of your personal data, you may contact us using the details set out in the CONTACT US section of this privacy policy.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

26. UPDATES TO THIS POLICY

This privacy policy is reviewed periodically to reflect changes in our business operations, regulatory requirements, technology and legal obligations. Any personal data held by us will be governed by the most current version of this policy.

27. CONTACT US

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact:

Data Protection Officer
Loans 2 Go Limited
Bridge Studio, 34A Deodar Road
London, SW15 2NN
Email: [email protected]

You can also call customer support team on 0330 400 4381 or log in to your online account portal https://login.loans2go.co.uk/login to submit a request.