Marshmallow Technology Ltd, Marshmallow Financial Services Limited, Marshmallow Technology Hungary Kft, Marshmallow Credit Services Limited, Marshmallow Repair Limited and Marshmallow Insurance Limited (collectively referred to a “Marshmallow”, “Marshmallow Group”, “we”, “us” or “our”) are committed to maintaining the privacy and confidentiality of information you provide to us. This privacy notice (“Notice”) sets out how Marshmallow uses and protects your personal data through your use of this website and any data you may provide when you purchase a Marshmallow policy.
1. What personal data we collect about you
We may collect, use, store and transfer different kinds of personal data about you. Personal data means any information about you from which you can be identified. Personal data can be designated into separate categories as per the below (please note the below examples are non-exhaustive):
- Identity Data which may include your first name, last name, any previous names, marital status, title, date of birth, gender, occupation, and photos of your driving licence and passport.
- Contact Data which may include your home address, billing address, email address and telephone number.
- Profile Data which may include your policy number, login details, your preferences, feedback and survey responses.
- Biometric Data which may include any photograph of yourself that you submit to us as part of your application process.
- Financial Data which may include your bank account and payment card details.
- Transaction Data which may include details about payments to and from you, and other details of products you have purchased from us.
- Income data which may include details about your job and income.
- Credit Bureau Data which may include your credit and payment history.
- Location Data which may include your driving data (which includes location tracking both whilst the app is being used and when it is not, speed data, braking data, acceleration data and background data).
- Vehicle Data which may include the registration, make, model and year of manufacture of your vehicle(s).
- Claims Data which may include current claims and/or any previous claims you have made or have been made against you.
- Fraud Data which may include whether you appear on fraud databases we have access to and any criminal convictions you have.
- Communications Data which may include call recordings, emails and live chat messages.
- Technical Data which may include your IP address, login data, browser type and version, time zone settings and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
- Usage Data which may include how you interact with and use our website and services.
- Marketing Data which may include your preferences in receiving marketing from us.
2. Where we collect your personal data from
We use different methods to collect data from and about you, which are listed below.
a. Through your interactions with us
You may give us your personal data when you:
- Apply for a quote on our website.
- Create an account on our website.
- Subscribe to our marketing list.
- Give us feedback or speak to us over the phone, through live chat or by email.
You may also give us the personal data of additional drivers should you add them to your policy.
b. Through automated technologies or interactions
As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
c. Through third parties or publicly available sources
The personal data we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering, and to verify your identity. If fraud is detected, you could be refused certain services or finance. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by going to www.cifas.org.uk/fpn.
We may collect personal data about you from various third parties and public sources, including:
- Fraud Data from CIFAS, the Insurance Fraud Bureau, Ravelin, LexisNexis and Onfido; and
- Identity Data, Contact Data and Vehicle Data from price comparison websites such as Go Compare, Compare The Market, Quotezone and Confused.com.
d. If you have a Marshmallow Go policy, through the Marshmallow app
If you have the Marshmallow Go policy and Marshmallow Go app, we will collect your Location Data. The Marshmallow Go app is operated by Sentiance, and you can view their privacy policy here
3. How and why we use your personal data
The UK GDPR 2018 requires us to have a legal basis for collecting and using your personal data. When we collect and use your personal data, we make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Processes that need your data
What personal data we use
Legal basis
Offering you car insurance quotes
Identity Data
Contact Data
Fraud Data
Vehicle Data
Consent - you consent to us processing this data when you generate a quote through a price comparison website or directly through our website.
Offering you car financing quotes
Identity Data
Contact Data
Fraud Data
Income Data
Vehicle Data
Financial Data
Credit Bureau Data
Income Dataa
Consent - you consent to us processing this data when you generate a quote through a price comparison website, credit broker, or directly through our website.
Issuing you with an insurance policy and maintaining it
Identity Data
Contact Data
Profile Data
Biometric Data
Financial Data
Transaction Data
Vehicle Data
Claims Data
Fraud Data
Communications Data
Location Data (for Marshmallow Go policies only)
Performance of a contract - to arrange, underwrite and manage your policy with us
Issuing you with a car finance agreement and maintaining it
Identity Data
Contact Data
Profile Data
Biometric Data
Financial Data
Transaction Data
Vehicle Data
Fraud Data
Communications Data
Performance of a contract - to arrange, underwrite and manage your policy with us
Processing claims you make or are made against you
Performance of a contract - to process and resolve claims as set out in your policy wording
Improving our services and products
Identity Data
Claims Data
Fraud Data
Technical Data
Usage Data
Legitimate interest - it is in our legitimate interest to improve our services and products for your benefit
Activating cookies on our website
Consent - you consent to us processing this data by using our website and/or opting in to cookie
Sending you marketing material
Identity Data
Contact Data
Marketing and Communications Data
Consent - you consent to us processing this data by opting-in to receiving marketing communications
Complying with legal and regulatory obligations
To comply with legal and regulatory obligations as insurance companies in the UK must comply with regulations from the Financial Conduct Authority and Prudential Regulation Authority, as well as fraud prevention and tax laws
Managing third-party claims and supporting consumers through early intervention
Identity Data,
Contact Data,
Vehicle Data
(including data collected from recent Marshmallow quotes within the last month, information provided by our policyholders, and data sourced from regulated tracing databases and service providers).
Legitimate interests - it is in our legitimate interests to manage third-party claims efficiently, control hire and repair costs, and ensure fair outcomes for all parties.
4. Who we share your personal data with
a. Disclosures within the Marshmallow Group
In order to provide our services your personal data is shared with other companies in the Marshmallow Group.
Your personal data may be shared for our general business administration, efficiency and accuracy purposes, for the prevention and detection of fraud, and also when we make changes to our group company structure.
b. Disclosures to third parties
We may also disclose your personal data to the types of third parties listed below for the purposes described in this Notice.
The personal data we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services or finance. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by going to www.cifas.org.uk/fpn.
The type of third party
What we share with them
Why we share it
Price comparison websites
Identity Data
Contact Data
Vehicle Data
We only share personal data with these companies in order to facilitate the arrangement where you received your quote and purchased your policy through their website
Fraud detection and identity theft agencies
Identity Data
Contact Data
Technical Data
Vehicle Data
Claims Data
To maintain theft and fraud registers and/or assist with identification checks and no-claims discount checks
Customer relationship agencies
Identity Data
Contact Data
Vehicle Data
Claims Data
Marketing and Communications Data
Usage Data
Profile Data
So you can return to your quote at a later date, to allow us to communicate with you if you have any questions about your policy, and to provide you with your policy documents
If you choose to use our address look-up feature then we will share your personal data with administrative companies so that they can carry out the search
To provide us with analytics for product development and bug reporting
Vehicle database companies
Profile Data
Technical Data
To provide you with insurance quotes
Identity Data
Contact Data
Financial Data
Technical Data
To allow you to pay for your policy and for financial companies to verify your payment details
Identity Data
Contact Data
Marketing and Communications Data
So that we can send you marketing materials about products/services that we think you might be interested in
Other insurance companies
Identity Data
Contact Data
Vehicle Data
If you buy breakdown cover and therefore require additional protection
Law firms and claims management companies
Identity Data
Contact Data
Vehicle Data
To handle bodily injury claims, general claims management and defendant litigation
Identity Data
Contact Data
Vehicle Data
To handle recovery and repair services
For Marshmallow Go customers only
To provide Marshmallow Go customers with feedback and insights.
For car financing customers only
Credit reference agencies
Identity Data
Income Data
Financial Data
To check your financial history and creditworthiness before offering you car financing.
Identity Data
Contact Data
Vehicle Data
To locate and retrieve vehicles if you can’t pay your car finance and haven’t agreed on an alternative solution.
Identity Data
Contact Data
Income Data
To provide car financing products to car financing customers.
Identity Data
Contact Data
Income Data
To collect amounts outstanding on your account.
When you apply for our products or services, we may carry out credit and identity checks with one or more Credit Reference Agencies (“CRAs”). This helps us confirm your identity, prevent fraud and assess your eligibility for things like paying by instalments.
We share personal information (such as your name, address and date of birth) with CRAs, who provide us with credit and fraud-prevention data. They may record our checks, which can be seen by other organisations. A search footprint will also be left on some CRA credit files, such as TransUnion’s.
We may also share ongoing information about your account (such as payment history or missed payments) with CRAs. This data can stay on your credit file for up to six years after your account is closed.
You can find out more in the CRAs’ notices at Experian, Equifax and TransUnion.
5. International transfers
Sharing your personal data both between the Marshmallow Group and to third parties may involve transferring your personal data to countries outside the EU and UK. To ensure that your personal data receives an adequate level of protection, we have put in place contractual obligations to ensure that your personal data is treated by those third parties in a way that is consistent with and respects UK, EU and local data protection laws.
6. Presence of automated decision-making
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We use automated decision-making technology to combine the information you provide with data from our partners (listed above) in order to offer you quotes and provide you with a policy.
If we make an automated decision using your personal data which has a legal or substantially similar effect, you have rights in relation to that decision. In particular, you have the right to receive information about the logic involved in relation to the decision and the right to human intervention. You can exercise this right by emailing us at dpo@marshmallow.co.
7. How long we keep your personal data
We will only hold your personal data for as long as necessary to administer your policy, manage our business or in order to comply with legal or regulatory requirements. This will be in line with our data retention policy.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may also retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for your personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we collected the data in the first place, whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax and accounting requirements.
By law, we have to keep basic information about our customers (including contact, identity, financial and transaction data) for six years after they cease being customers.
In some circumstances, we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes. In these instances, we may use this information indefinitely without further notice to you.
8. Your rights under data protection legislation
Under data protection laws, you have the following rights regarding your personal data:
- Access: you can request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you.
-Correction: if your data is incorrect or incomplete, you can ask us to update it.
-Deletion: in certain circumstances, you can request that your data be deleted (commonly known as an “erasure request”). Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
-Objection: you have the right to object to the processing of your personal data where we are relying on legitimate interest (or those of a third party) as the legal basis for that particular of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
-Consent withdrawal: you have the absolute right to object at any time to the processing of your personal data for direct marketing purposes. Note that this will not affect the lawfulness of any processing carried out to withdraw your consent. If you withdraw your consent, we may not be able to provide certain products to you but we will advise you if this is the case at the time you withdraw your consent.
- Transfer: you can request the transfer of your personal data to you or another party. This right only applies to information which you initially provided consent for us to use or where we have used the information to perform a contract with you.
- Restrict: in certain scenarios, you can ask us to suspend the processing of your personal data. If you want to exercise any of the rights set out above, please visit our privacy portal to submit a request. We aim to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In such cases, we will inform you and keep you updated on the progress of your reque.
If you want to exercise any of the rights set out above, please visit our privacy portal to submit a request. We aim to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In such cases, we will inform you and keep you updated on the progress of your request.
9. Where we store your data
We use cloud storage solutions within the UK and EU to store your personal data. In some situations, we may store your data in similar technologies outside of the UK or EU. In these cases, we will ensure that your personal data is stored in a way that is consistent with and which respects UK, EU and local laws on data protection.
10. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, altered or accessed in an unauthorised way. We also have procedures to deal with any suspected data security breach and we will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We maintain and update internal data protection policies that all staff are required to follow, and they must complete training on their responsibilities for safeguarding your personal data. Staff are also aware that any misuse of personal data may result in disciplinary action.
11. Our contact details and how to make a complaint
If you have any concerns about this Notice or how we process your personal data, please email us at dpo@marshmallow.co and we will work with you to resolve the issue.
If you are still unhappy and would like to progress your complaint further, you have the right to make a complaint to the Information Commissioner’s Office (www.ico.org.uk).
If your insurance policy is underwritten by Marshmallow Insurance Limited, you may also complain to the Gibraltar Regulatory Authority (https://www.gra.gi/)
12. Changes to this policy
We keep this Notice under regular review. Any material changes to this Notice will be sent to you by email.
Last updated: 09 July 2025
Visit our privacy portal to submit a request based on your data protection rights
