Privacy Policy | Mortgage118

1. Who We Are

Mortgage118 is operated by Mattison Elm Ltd, a company registered in England and Wales (Company No. 09831228). We are the data controller responsible for your personal data.

Registered address: 7 Bell Yard, London WC2A 2JR

Contact: [email protected]

2. Information We Collect

Information you provide

Name and email address (when you create an account or contact us)
Phone number (if you choose to provide it)
Mortgage requirements (when using our matching service)
Business details (if you are a broker claiming a profile)

Information we collect automatically

IP address and approximate location (country/region level)
Browser type, device type, and operating system
Pages viewed, time spent, and referral source
Security and anti-abuse signals (e.g. when you submit a claim or other protected form we use Cloudflare Turnstile to help distinguish you from bots; see Section 7)
Cookies and similar technologies (see Section 7)

3. Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we process your data on the following bases:

Consent — when you opt in to marketing communications or use our broker matching service
Legitimate interests — to operate, improve, and secure our platform, and to provide search and directory services
Contract — to provide services you have requested, including broker profile management
Legal obligation — where we are required to retain data by law

4. How We Use Your Information

To provide and maintain our directory and matching services
To connect you with mortgage brokers when you request it
To manage broker profiles and verification
To send service-related communications (account updates, security alerts)
To send marketing communications (only with your consent)
To analyse usage patterns and improve our platform
To detect and prevent fraud, spam, and abuse

5. Who We Share Your Data With

We do not sell your personal data. We may share your information with:

Mortgage brokers — when you request to be connected or submit an enquiry
Service providers — hosting (Vercel, Cloudflare), database (Supabase), analytics (Google Analytics, Microsoft Clarity for heatmaps and session replay), email (IONOS), and Cloudflare Turnstile for bot/abuse prevention on certain forms
Legal authorities — if required by law or to protect our legal rights

All service providers are bound by data processing agreements and process data in accordance with UK GDPR.

6. Data Retention

Account data — retained while your account is active, then deleted within 30 days of account closure
Enquiry data — retained for 12 months, then anonymised
Analytics data — retained for 14 months (Google Analytics default)
Broker profiles — retained while the broker listing is active; publicly available data (FCA number, company name) may be retained indefinitely
Legal records — retained as long as required by applicable law

7. Cookies

We use cookies and similar technologies for:

Non-essential analytics cookies (Google Analytics and Microsoft Clarity) are loaded only if you choose “Accept” on our cookie banner.

Essential cookies — required for the site to function (session, authentication, security). Cannot be disabled.
Security / anti-abuse — Cloudflare Turnstile is used on certain forms (e.g. claiming a broker listing) to help prevent automated abuse. Turnstile may run in the background with minimal or no visible challenge for most users; in some cases it may show a verification step. For more detail on what Turnstile collects and how it is used, see Cloudflare's Turnstile Privacy Addendum.
Analytics cookies — Google Analytics (GA4) to understand how visitors use our site. Data is anonymised (IP anonymisation enabled).
Experience analytics — Microsoft Clarity, which may record interactions (such as clicks and scrolling) and replay sessions in aggregate form to help us improve the site. See Microsoft's privacy statement for how Microsoft processes data as our processor.

We do not use advertising cookies. You can control cookies through your browser settings.

8. Your Rights

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate data
Erasure — request deletion of your data (“right to be forgotten”)
Restriction — request that we limit processing of your data
Portability — request your data in a machine-readable format
Objection — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, you can withdraw at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. International Data Transfers

Some of our service providers (Vercel, Supabase, Google) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO).

10. Children's Privacy

Our services are not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Data Security

We use industry-standard security measures including SSL/TLS encryption, secure hosting, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

12. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

ICO helpline: 0303 123 1113

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised “last updated” date.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, contact us at: [email protected]