Privacy Policy

Effective date: 4 June 2026

Pedal Plan Limited (“we”, “us”, “our”) is a UK registered company (Company No. 14385903) authorised and regulated by the Financial Conduct Authority (FCA) under Firm Reference Number 991565.

This Privacy Policy explains how we collect, use, store, and share your personal information when you visit our website, apply for a Pedal Plan agreement, or use our services. It also sets out your rights under UK data protection law.

For information about how we use cookies, please see our Cookie Notice.

If you have any questions about this notice or wish to contact our Data Protection Officer (DPO), you can:

  • Email: [email protected]
  • Write to: Pedal Plan, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ

1. Information We Collect

1.1 Information you share with us

We collect personal information directly from you when you interact with us, including:

  • Website usage data such as IP address, browser type, operating system, pages visited, and device identifiers
  • Application information such as name, date of birth, home address, email address, and phone number
  • Order information such as delivery address, order details, and payment information
  • Communications including photos, reviews, emails, attachments, and recorded phone calls
  • Social media interactions including public profile information and messages sent to us via platforms such as Facebook, Instagram, or X (Twitter)
  • Customer account information including bikes held under your plan, payments made, and account standing
1.2 Information we obtain from external sources

To assess applications, manage risk, prevent fraud, and meet our legal and regulatory obligations, we may obtain information about you from credit reference agencies (CRAs).

We use Creditsafe Business Solutions Limited, which obtains consumer credit and identity data from its data partner TransUnion International UK Limited.

  • Creditsafe FCA Firm Reference Number: 742313
  • TransUnion FCA Firm Reference Number: 805757

The information we receive may include identity verification data, credit commitments, payment history, and public record information such as CCJs or insolvency data.

Further details on how Creditsafe and TransUnion process your data can be found in their privacy notices:

2. How and Why We Use Your Data

We process your personal data for the following purposes:

  • Providing and managing your Pedal Plan agreement
  • Processing applications and assessing affordability
  • Improving our products, services, and customer experience
  • Responding to enquiries and providing customer support
  • Preventing and detecting fraud or financial crime
  • Complying with legal, regulatory, and business obligations
  • Keeping you informed about your account
  • Sending newsletters or marketing communications where you have given consent

We will never sell your personal information or share it with third parties for marketing without your explicit consent.

We may disclose your information if required by law or if you violate our Terms of Service.

3. Sharing Your Information

3.1 Independent sales staff and service partners

We work with independent sales staff, franchisees, and third-party service partners who support the delivery of our services. This may include facilitating bike sizing, processing sales, arranging delivery or collection, and managing the return or replacement of bikes.

We may share limited personal information with these partners where necessary to:

  • Process and complete your order
  • Arrange delivery, collection, or return of bikes
  • Provide customer support or resolve service issues
  • Verify information you have provided
  • Ensure the smooth operation of your Pedal Plan agreement

These partners operate under contractual agreements requiring them to process your data securely, use it only for specified purposes, comply with data protection laws, and never use your data for their own marketing or independent purposes.

3.2 Credit reference agencies

As described in Section 1.2, we share information with Creditsafe and TransUnion for identity verification, affordability checks, and fraud prevention.

3.3 Legal and regulatory disclosures

We may share your information with law enforcement, regulators, or other authorities where required by law.

4. International Data Transfers

We may transfer personal data to recipients or service providers located outside the United Kingdom and/or the European Economic Area (EEA).

Where such transfers take place, we ensure appropriate safeguards are in place to protect your personal data in accordance with applicable data protection laws. These safeguards may include:

  • UK-approved International Data Transfer Agreements (IDTAs)
  • Standard Contractual Clauses (SCCs) approved by the UK or EU
  • Transfers to countries recognised as providing an adequate level of data protection
  • Additional technical and organisational measures where required

These safeguards ensure that your personal data remains protected to a standard essentially equivalent to that provided within the UK.

5. Legal Basis for Processing

Under the UK GDPR, we rely on the following lawful bases:

  • Contractual necessity – to provide you with our services and manage your agreement
  • Consent – for optional marketing communications
  • Legal obligation – to comply with regulatory requirements, including FCA rules
  • Legitimate interests – for fraud prevention, credit risk assessment, service improvement, and business operations

6. Provision of Personal Data

6.1 Is the provision of personal data statutory or contractual?

The provision of certain personal data is primarily contractual, and in some circumstances required to meet legal and regulatory obligations.

Personal data is required in order for us to:

  • enter into and perform contracts with customers, suppliers, or business partners
  • process orders, manage accounts, and deliver goods and services
  • verify identity and prevent fraud
  • comply with applicable legal, regulatory, accounting, and tax obligations
6.2 Consequences of not providing personal data

If you choose not to provide the personal data we request:

  • we may be unable to enter into a contract with you
  • we may be unable to fulfil orders, supply goods, or provide services
  • we may be unable to conduct necessary verification, compliance, or fraud-prevention checks
  • as a result, our services may be delayed, restricted, or declined

Where personal data is requested for optional purposes, such as marketing communications, providing this information is not mandatory, and you may withdraw your consent at any time without affecting your ability to receive goods or services from us.

7. Automated Decision-Making and Profiling

We may use automated tools to support processes such as identity verification, affordability assessment, fraud detection, risk scoring, and account management.

These tools may analyse personal data using predefined rules to generate indicators or recommendations.

However, we do not make decisions that have a legal or similarly significant effect on you based solely on automated processing. All such decisions are subject to meaningful human review.

Automated tools may influence the speed or level of review applied, but you will not be subject to automatic rejection without human involvement.

8. Data Retention

We keep personal data only for as long as necessary to fulfil the purposes described in this notice and to meet legal, regulatory, or reporting obligations.

Examples include:

  • Application and account data retained for regulatory and audit purposes
  • Credit reference and affordability data retained only as long as required for assessment and compliance, then securely deleted
  • Communications and call recordings retained in line with operational and regulatory requirements

When data is no longer required, it is securely erased or anonymised.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access – request a copy of the data we hold about you
  • Right to rectification – request correction of inaccurate or incomplete data
  • Right to erasure – request deletion where no lawful basis remains
  • Right to restrict processing – request limits on how your data is used
  • Right to data portability – receive your data in a structured, machine-readable format
  • Right to object – object to processing based on legitimate interests or to direct marketing
  • Right to lodge a complaint– complain to the Information Commissioner's Office (ICO) if you are unhappy with how we handle your data

ICO website: https://www.ico.org.uk

10. Exercising Your Rights

To exercise any of your rights, contact us at:

We may need to verify your identity before responding.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be published on our website with an updated effective date.