Shh. Here’s our privacy policy

Your data, and what we do with it, matters.
Read on to see why we ask for certain types of info from you, and what we do to keep it safe. We use the same policy whether you’re browsing on your phone, tablet, PC or any other device.

What’s in here?


This website is owned by ZenAuto Limited.  ZenAuto decides the purpose and means for which personal data you supply through this website is processed, as such we are the “data controller.”

If you have any questions or comments about privacy, please contact our data protection officer: 

The Data Protection Officer
ZenAuto Limited
Number One
Great Exhibition Way
Kirkstall Forge

Email: [email protected]

The Information Commissioner's Office (ICO) regulates the processing of personal data. We are registered with ICO as a data controller and our registration number is ZA283355.

You have the right to make a complaint at any time to the ICO. We would, however, appreciate the chance to deal with your concerns before you approach the ICO - so please contact us in the first instance and we'd be happy to help.

ICO website:

ICO contact details:

Back to top

Mission statement

Your personal data is important – and we’re fully committed to protecting it

At ZenAuto, this is more than just a slogan – we believe that our business will thrive as long as it secures your trust and keeps you happy from the start of the journey to the end. Let’s start with some fundamental points:

  • We won’t sell your personal data to anyone
  • We’ll only ask for personal data that’s essential for us to provide the services
  • We’ll only share your personal data with approved third parties, many of whom we’ve worked with for years. Our third parties are not permitted to share your personal data with other organisations that we haven’t already approved
  • We’ll not bombard you with marketing messages and you can easily change your preferences at any time 

Unfortunately, the transmission of data via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website, and any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to seek to prevent unauthorised access.

We do not plan to make any substantial changes to what personal data we require, or how we use it – but we’ll notify all registered users and customers by e-mail if any significant changes do happen. We also recommend that you check back to these privacy pages on a regular basis, as this will keep you up to date on any other changes.

This version was last updated on 13 May 2024.

Back to top

Your personal data

The data we collect about you

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed for example anonymous data.

The data you give us may include:

  • Full name
  • Marital status
  • Gender
  • Home address and any past addresses
  • Date of birth
  • Driving licence
  • Passport
  • Email address and any phone numbers
  • Financial data (including bank account, payment card details and financial history)
  • Your current job and any work history
  • Marketing preferences and whether you have ‘unsubscribed’ to marketing
  • Health data*
  • Criminal convictions data (including alleged offences, proceedings, outcomes, and sentences) *
  • Technical data (including internet protocol (IP) address, login data, data about your visit, time zone setting and location)
  • Profile data (including username and password, quotes or orders, preferences, feedback and survey responses)
  • Aggregated data**

* Sensitive personal data

You may tell us about certain health information (for example, vulnerabilities) and we will use that information to ensure that we can support you to the best of our ability and act fairly and responsibly. We will always ask for your consent and remove this data once it is no longer necessary, for example once your vulnerability ends. This data will only be made available to staff who need to see it.

We may also collect criminal convictions data as part of our fraud checks, and where we administer fines and traffic offences. 

** Aggregated data

We also collect, use and share “Aggregated Data” with our aggregator partners, such as car comparison websites and other introducers. In some instances, we will act as a joint data controller with these partners. Aggregated Data may be derived from your personal data - but is not considered personal data in law where this data does not directly or indirectly reveal your identity. If we combine or connect Aggregated Data with your personal data, so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

For example, we may use aggregated data to:

  • see how users are accessing our website and to ensure the user journey works the way it is intended to
  • develop our brand, products and services
  • personalise offers to you
  • provide our aggregator partners with order data to process their service costs and to understand how our customers use products and services from us.

Where you come to our site through our aggregator partners you should refer to their own privacy notices to understand how they will be using your personal data. This currently includes:


We Are Discounts:







It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us – for example if you change your name, address, or telephone number.


You can change your marketing preferences or stop receiving marketing at any time in the “My Account” section on the website. 

Alternatively, you can follow the “unsubscribe” links on any marketing message sent to you, or you can contact us.

Where you unsubscribe to receiving these marketing messages, this will not apply to personal data that we need to process in order to provide services relating to a leased vehicle (see Who We Share Your Data With below).

How your personal data is collected

We use different methods to collect data from and about you, including:

  • Direct contact with us - when you fill in forms on our website or contact us by phone, email, live chat or post. This includes:
    • Creating an account
    • Finance application stage
    • Order and delivery stage
    • Services after delivery
    • Entering a competition or promotion
    • Completing a survey or providing feedback 
  • Aggregator partners which introduce you to us (see more above)
  • Automated technologies – which collect technical data when you visit our website. For more information please see our Cookie Policy
  • Collection agents may supply us with data if we sought to recover the vehicle or debts

Basis on which we process your data*

We will only use your personal data when the law allows us to.

We need to verify your identity and your creditworthiness, as well as to prevent fraud and money laundering. As a finance provider, we do this to protect our business and obey any laws that apply to us.

We also use your data because you have entered into an agreement with us which we need to enforce.

We will rely on your consent only for marketing activities.You can see how we will make use of your personal data in the Who We Share Your Data With section.

Back to top

Who we share data with

We may share your personal data with a number of third party partners. We’re unable to name all of them here, due to commercial confidentiality and the large number that we work with. Instead, we’ve provided the categories of partner that we use, and the services that they will provide. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Finance application stage

Before we lease a car to you, we need to run a number of checks to verify your identity and your creditworthiness. We also need to prevent fraud and money laundering. We recommend that you read all the following information carefully.

Fraud prevention agencies

We will disclose your personal data to fraud prevention agencies.

When we and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested. If you have requested services and financing from other providers, fraud prevention agencies may receive your personal data from those providers too.

We, and fraud prevention agencies, may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

If we, or fraud prevention agencies, determine that you pose a fraud or money laundering risk - we may refuse to provide the services or financing you have requested or to employ you, or we may stop providing existing services to you

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details provided below.

Fraud prevention agencies can hold your personal data for different periods of time and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

Our fraud prevention agencies are:

  • Synectics Solutions Limited
  • Cifas

We act as a joint data controller together with Synectics Solutions Limited 

Please contact us for further details.

Credit reference agencies

In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”). 

To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. 

We will use this information to:

  • Assess your creditworthiness and whether you can afford to take the product;
  • Verify the accuracy of the data you have provided to us;
  • Prevent criminal activity, fraud and money laundering;
  • Manage your account(s);
  • Trace and recover debts; and
  • Ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at the “CRAIN” which is accessible from each of the three CRAs – clicking on any of these three links will take you to the same CRAIN document:


If you make a large number of credit applications within a short period of time, the multiple footprints on your file could affect your ability to obtain credit.

If we determine that the finance may not be affordable to you - we may not approve your application. On request, we can inform you of the CRA from which we obtained your credit file. 


We may have to run a second finance check (including fraud, identity and creditworthiness) in the following circumstances:

  • If you amend your order and the payments are higher
  • If you amend your order to select another type of vehicle 
  • If the period between the date of the initial finance check and delivery of the vehicle is more than 90 days 


We’ll use a card payment provider to take your processing fee and initial payment. We will also use an e-signature supplier to complete the lease.

Order & delivery stage

Once we’ve accepted your credit application we can proceed to order your car. At this stage your personal data will be shared with:

  • Motor dealerships, manufacturers and delivery agents to process and deliver new vehicle orders.
  • CarWow and Salesforce to match sales and invoice orders which originated from the CarWow website. The personal data is limited to your email address and postcode and is deleted once invoicing is completed. Users of the CarWow website can refer to CarWow’s Privacy Policy at:
  • Ohme to match and invoice EV home charger installations where you have chosen the “FREE home charger” offer for battery electric cars on a new lease only
  • HSBC to manage their EV marketing activity. This is limited to your name, address, and date of birth. We will also share whether you have registered an account with us, placed an order, and been approved or declined.

Services you receive after delivery

Once your car has been delivered we’ll need to share your personal data with some carefully selected partners who will help deliver our services. In most instances the data that is shared will be no more than your name, contact details and address. We’re unable to name all of the partners here, due to commercial confidentiality and the large number that we work with. Instead, we’ve provided the categories of partner that we use, and the services that they will provide. This will include:

  • Tyre suppliers – for tyre repairs or replacements
  • A vehicle recovery specialist – for vehicle recovery or roadside assistance
  • An inbound contact services centre – for out-of-hours assistance
  • A customer experience research provider - to monitor customer satisfaction
  • A collection agent - to recover debts
  • Manufacturers, franchises and approved independent garages - where you have opted for our maintenance option, and for any warranty work or recalls
  • Hard and soft copy document archiving specialists – to hold copies of our paperwork
  • An automotive data management specialist – to register our interest in the vehicle
  • Remarketing agents – to collect and remarket vehicles
  • A card payment provider – to take payments from you
  • Third party platforms - to co-ordinate and communicate with our supply chain.
  • IT and system administration service providers – to provide additional services 


If you receive services from third party suppliers, you may receive requests from them to market their products or services to you. You may also choose to use ‘connected car’ functionality, or mobile phone applications to share data directly with third parties such as manufacturers, EV chargers etc.

We cannot accept any responsibility where you agree to these requests. Your rights must be enforced directly with those organisations.

Other third parties

We may share your personal data with any member of our group. This includes our sister companies, our holding company and its subsidiaries.

We may also share your personal data to protect the rights, property, or safety of us, our customers, or others.

In certain contexts we may also share your personal data with other third parties. This may include:

  • Our Funders – We may transfer information about your arrangements with us to our third party funders and financiers (Funders), including in connection with transferring our interest, financial or otherwise, in our arrangements to those Funders. We will not transfer personal data to the Funders unless it is absolutely necessary for us to do so. In the event of our insolvency, then we may transfer your personal data to those Funders so that they may collect any remaining payments from you and to continue to manage any existing arrangements. Those Funders will provide you with their relevant Privacy Notice at that time and following receipt of your data from us.
  • Prospective sellers or buyers - in the event that we buy or sell any business or assets
  • Any third party which acquires us, or substantially acquires all of our assets – in which case your personal data will be one of the transferred assets
  • Government departments, agencies, public bodies and other third parties (such as the police, HMRC, local councils, DVLA, parking companies). This applies if we are asked to share your data in order to comply with a legal obligation (e.g. processing of traffic offenses, fines, congestion charging, prevention or detection of crime)
  • Professional advisors  to provide consultancy, banking, legal, insurance and accounting services
  • Carwow - to share your vehicle registration number only, where you choose to use Carwow's 'Sell My Car' service

Our website may contain links to the websites in our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that they have their own privacy policies. We do not accept any responsibility or liability for these. Please check their policies before you submit any personal data to these websites.

Back to top

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. We aim to comply without undue delay, and within one month at the latest.

For any of the following requests you can contact us by post or email, at: 

The Legal & Compliance Team
ZenAuto Limited
Number One,
Great Exhibition Way,
Kirkstall Forge,
Email: [email protected]

No fee required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights) but see further below.


We may refuse to comply with your request if it is clearly unfounded, repetitive or excessive. In these circumstances we will confirm your right to complain to the ICO (see details above), and to a judicial remedy, as quickly as we can - but at the latest within one month. We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

What we need from you

We need to confirm your identity before we can action any request. This is a security measure to ensure that your personal data is protected from inappropriate use. You may need to provide a copy of your photo driving licence or passport, plus a copy of a utility bill or bank statement within the last 3 months.  We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Access to your personal data

You have the right to be aware of the personal data that we or our partners hold about you, and to verify the lawfulness of the processing. This is formally known as a “Subject Access request”. 

When submitting your request, it would assist us if you could specify the information or processing activities which you’d specifically like to see. 

Regarding fraud records specifically, you should contact our joint data controller (Synectics Solutions Limited, our fraud prevention agency) for access to fraud records which have been submitted by us. Contact: [email protected]

Delete your personal data

In certain circumstances you are entitled to have your personal data erased (also known as “the right to be forgotten”). This includes the personal data that we hold on you and also the data which our partners process (see Who We Share Your Data With above). Please note that where you are leasing a vehicle from us we will be unable to erase your data as we need to enforce the contract between us. 

Restriction of processing 

You are entitled to restrict or ‘block’ the processing of your personal data. This might be where you contest the accuracy of the personal data that we hold on you, and require us to restrict any further processing until the personal data has been verified. 

Correct your personal data

You have the right to have your personal data corrected if it is inaccurate or incomplete. This will include the data that we and our partners hold on you. In many instances you can simply call or email our customer team, who can make most changes immediately, however you can also send us a formal written request.

Export your personal data

You have the right to receive your personal data in a format that can be easily transferred to, and used by, an alternative service provider. This is formally known as “data portability”. We will provide you with a CSV or Excel format file.

Object to processing:

You have the right to object where we are processing your personal data for direct marketing purposes. We will remove you from our mailing list.

Back to top

Data Retention and Transfers

Data retention

We only hold your data for as long as we need to fulfil the purposes we collected it for. This includes satisfying any legal, accounting or reporting requirements, and to protect our business. 

This is usually 6 years from the date that the agreement between us ends. We need to keep fraud records for a minimum of two years, or longer where if you are considered to pose a fraud or money laundering risk. 

In some circumstances we may anonymise or pseudonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes. We may also put your personal data beyond use. In these instances we may use or hold this information indefinitely without further notice to you.

Data transfers

In the majority of cases it will not be necessary for us to transfer your personal data outside the European Economic Area (EEA).

If we do need to transfer your data outside of the EEA, we will make sure it is secured to the same high levels required in the EEA – including appropriate transfer risk assessments to ensure data is transferred securely and using appropriate contractual clauses and/or wording.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

Back to top

Use of cookies

This website uses cookies. Cookies collect information about your use of the website, including things like your connection speed, details of your operating system, the time and duration of your visit and your IP address. Cookies are widely used on the internet and do not identify the individual using the computer, just the computer being used. Cookies and other similar technology make it easier for you to log on to and use our websites during future visits.

The information collected by cookies enables us to understand the use of our site, including the number of visitors we have, the pages viewed per session, time exposed to particular pages etc. This in turn helps us to provide you with a better experience, since we can evaluate the level of interest in the content of our website and tailor it accordingly.

We will not attempt to personally identify you from your IP address unless required to as a matter of law or regulation or in order to protect our, or our other customers’, rights. Most browsers automatically accept cookies.

You can set your browser options so that you will not receive cookies and you can also delete existing cookies from your browser. However, you may find that some parts of the site will not function properly if you refuse cookies.

Cookies are used to store small amounts of information on your computer, which allows certain information from your web browser to be collected.

More detail about Cookies can be found on our Cookie Policy page.

Back to top

Automated decision-making

Automated decision-making takes place when an electronic system uses personal data to make a decision relevant to you without human intervention. As part of our finance application checks, we use automated systems to:

  • prevent fraud,
  • assess creditworthiness and affordability, and
  • verify the identity of applicants.

These checks help us to be a responsible lender and to prevent fraud. Our credit scoring methods used are regularly tested to ensure they remain fair, effective, and unbiased.

If you apply and are declined through this automated process, you can contact us within 14 days to have the decision reconsidered. You also have the right to ask that the decision is not made based solely using a credit scoring system.

Please contact us on [email protected] if you would like to discuss this further.

Back to top