We aim to make our website as accessible as possible. However if you use a screen reader and require debt advice you may find it easier to phone us instead. Our phone number is 0 8 0 0 1 3 8 1 1 1 1. Freephone (including all mobiles).

Our privacy notice for former clients of StepChange Financial Solutions

Making it clear how we handle your information

Click on the links below to jump to the sections you want to find out more about.

Quickly find what you are looking for

  1. About our privacy notice
  2. Who is responsible for your data?
  3. Where do we collect your personal data from?
  4. What information do we collect and why?
  5. When do we use Automated Decision Making?
  6. Who do we share your personal data with?
  7. Why do we use Credit Reference Agencies (CRAs)?
  8. How long will we keep your personal data for?
  9. How do we keep your personal data secure?
  10. Will we transfer your personal data outside of the UK?
  11. What are your data protection rights?
  12. How can you complain about use of your personal data?
  13. How will we tell you about any changes in how your personal data is used?

1. About our privacy notice

In July 2025 StepChange Debt Charity’s operating subsidiary ‘StepChange Financial Solutions’ ceased trading. All personal data held by the Financial Solutions team was moved to the main charity for long term storage.

Where this notice refers to “we”, “us”, or “our”, it means "StepChange Debt Charity".

This notice tells you, as a former StepChange Financial Solutions client:

  • What personal data we hold about you
  • How and why we use that personal data
  • What your legal rights and how to apply them

We recommend that you read this notice.

'Personal data' means any information that:

  • Is about you
  • Which can be used to identify you

In some cases this personal data could be more sensitive. It may be personal data that is private to you.

A full list of how we use personal data has been included at Section 4 of this notice.

We do not offer products or services to children

When we help you we may collect some personal data about children who live with you or who you are responsible for. We would only do this to make sure our advice is right for you. For example: We need to know how many people live with you when making your budget.

If you are also a client of StepChange Debt Charity we advise you to read our client privacy notice as well.

This would be if:

  • You have had debt advice
  • You are on a managed debt solution

2. Who is responsible for your personal data?

Your personal data will have originally been collected and used by StepChange Financial Solutions whose details were:

Consumer Credit Counselling Service (Equity Release) Limited

Trading as StepChange Financial Solutions

Registered Office:
123 Albion Street
Leeds
LS2 8ER

  • Registered in England no. 6741879
  • ICO registration No. Z1721238

On 31st July 2025 all personal data and records held by StepChange Financial Solutions were moved to StepChange Debt Charity whose details are:

The Foundation for Credit Counselling

Trading as StepChange Debt Charity and StepChange Debt Charity Scotland

Registered Office:
123 Albion Street
Leeds
LS2 8ER

  • Registered In England no. 2757055
  • Registered charity in England and Wales: 1016630, Scotland: SC046263.
  • Authorised and regulated by the Financial Conduct Authority.
  • ICO registration No. Z743192X

StepChange Debt Charity is as 'Data Controller'. This means we are responsible for deciding:

  • Why we personal collect data about you
  • What personal data we collect
  • How we use your personal data
  • How we store your personal data

Colleagues only have access to the personal data they need to do their job. We have controls in place to ensure this.

Our Data Protection Officer checks we are meeting the law and standards across the Group. Their contact details have been included in Section 12.

3. Where do we collect your personal data from?

StepChange Debt Charity will have received your personal data from its subsidiary company StepChange Financial Solutions. See Section 2 above.

In most cases, the Financial Solutions team will have collected your personal data directly from you. This could have been through our group’s website, by email, over the phone or by letter.

The Financial Solutions team may also have received personal data from other sources. These include:

  • Other organisations who have referred you to the StepChange group. Such as other charities, your energy supplier, or your council
  • Your creditors
  • Debt collection agencies
  • Credit reference agencies (see Section 7)
  • Law enforcement agencies and government departments (only in certain circumstances)
  • Others who are acting on your behalf
  • People you have a personal relationship with

4. What personal data do we collect about you and why?

We hold personal data about you for the purposes of:

  • Answering any questions, queries, concerns, or complaints you may have about the advice or services from StepChange Financial Solutions
  • Cooperate with regulators, auditors, lenders, government departments, or other organisations. where we must prove we are meeting financial rules, laws, or contractual commitments
  • To investigate any issues with our services or conduct of our colleagues
  • To conduct research which helps us to campaign and promote our charitable objectives

We hold personal data based on our legitimate interests to maintain adequate records. Any sensitive personal data is used to accommodate reasonable adjustments under the Equalities Act or to provide you with confidential counselling services.

We are likely to hold the following personal data about you:

  • Such as: Name, age, and any relevant reference numbers
  • So that: We know who you are, can identify you, know how to address you, and to keep records properly
  • Such as: Your address (and address history), contact telephone numbers, and email address
  • So that: We can contact you if we need to do so
  • Such as: Your personal circumstances, employment details, relationships, dependents, homeowner and asset owner details
  • So that: We could provide advice and recommendations
  • Such as: Debt information, income and spending and assets value. Information related to mortgages, equity release arrangements, income protection plans
  • So that: We can evidence what advice and recommendations we provided to you
  • Such as: A formal record of what we shared with you or we noted in our case files
  • So that: We can evidence what we advised you, which actions that were taken, and keep accurate records
  • Such as: Recordings of calls, emails, webchats, web forms, and letters
  • So that: We can evidence what we advised you, which actions that were taken, and keep accurate records
  • Such as: Any details about your health or other things you are dealing with, that you have told us about. Your race and ethnicity
  • So that: We can adapt our service, advice, recommendations and communications to meet your needs

5. When do we use Automated Decision Making?

We do not use this for:

  • Keeping your personal data or records of advice

We may use this for:

  • Making sure the quality of our service meets our standards. Such as, flagging where an interaction with us may not have met our expectations

6. Who do we share your personal data with and why?

There are a number of reasons why we might share your personal data with other organisations.

  • Where we have a legitimate business reason
  • Where we have to by law
  • To meet the terms of a contract
  • Where you have told us we can do this
  • Credit reference agencies: To check your credit file. See Section 7
  • Third party organisations: When we refer you to them for further support and only if you have told us we can do this. These may be charities or other specialists
  • Lenders, their valuation companies and solicitors: When you have applied for a mortgage or equity release with our help
  • Government departments and agencies: When they manage or sign off certain debt solutions. Such as, the Accountant in Bankruptcy (AiB) in Scotland and the Insolvency Service
  • Government departments and agencies: Where we must share personal data by law. Such as HM Revenue and Customs (HMRC), HM Treasury, and the Department of Work and Pensions (DWP)
  • Regulators: Where we must share personal data by law. These include the Charity Commission, the Financial Conduct Authority (FCA), Insolvency Practitioners Association (IPA), and the Information Commissioner’s Office (ICO)
  • Law enforcement agencies: Where we need to report a crime. Also to help them detect, investigate and prevent crime
  • Legal professionals, Courts of Law and other parties: Where information is needed for legal claims and proceedings
  • Auditors: Where we have to be audited by law. These are called 'statutory audits'
  • Our funders and partners: May also expect us to agree to audits. This is to make sure our service meets their standards. To do this, we may have to share your personal data. This could be because we are allowed by law to do this, or you have given us permission. These are called 'non-statutory audits'
  • Our insurers
  • Our accountants, legal, and compliance advisers: As well as other specialist consultants or contractors
  • Researchers we work with: Such as universities, market researchers and companies who track customer satisfaction. Where possible, we will remove personal data from the information we share with them.

We may also share your personal data if you have asked us to or told us we can.

We will keep records of what has been shared with third parties and why.

We also work with third party suppliers who help to deliver our services.

Our suppliers will only have access to your personal data where we have given them strict instructions and have first made sure that your personal data is secure when it is with them.

We use them for:

  • IT services, software, and hardware
  • Outsourced administration services

There may be other examples.

We may share ‘statistical data’:

  • Internally within our organisation
  • With Charity partners and funders
  • The wider public to support our campaign work

In these cases, you will not be able to be identified. For example, we may share or publish details about the challenges our clients face as part of our reporting on the reasons why people have financial difficulty.

7. Why do we use Credit Reference Agencies (CRAs)?

For the purposes of retaining your personal data for maintaining adequate records of advice, we don’t use credit reference agencies.

When seeking advice from StepChange Financial Solutions we may have used a CRA for a number of reasons:

  • Where we needed to know about your current finances when we set up your solution
  • Where we needed to meet the Money Laundering Regulations and Financial Conduct Regulations. To do this, we will have used CRAs to carry out ‘Know Your Client’ (KYC) and ‘Anti Money Laundering’ (AML) checks.
  • Where conducting a CRA check was a requirement of a lender’s 'Decision in Principle' (DiP) or where a lender has completed this check and shared the results with us.

How we run credit reference checks

Through our third party software providers we ran checks with the main CRAs. These were:

  • Experian Ltd
  • Equifax
  • TransUnion

We limited what information we share with the CRAs. We will only have shared basic details to find your record.

You can find out more about how CRAs use your personal data. Look on their websites for ‘Credit Reference Agency Information Notice’(CRAIN).

8. How long will we keep your personal data for?

We will need to keep your personal data to:

  • Keep a record of the advice and services we have provided to you
  • Investigate any complaints or concerns

We may destroy data sooner than this if you did not proceed to get advice from us. For example, this could be six years from:

  • Our last significant contact with you
  • The end of your StepChange managed debt solution
  • The end of any product application that we helped you with
  • The end of the financial year when you have made a payment to us

If you have taken out an equity release product with our help then we will retain your personal data for 61 years (essentially lifetime of a product).

What about recording of phone calls and other interactions?

StepChange operates a policy of recording all interactions (which includes telephone calls, web chat, and emails) which it receives and sends.

These interactions are usually kept for the following periods of time:

  • Most interactions: 6 years after the interaction
  • Interactions about equity release products: 25 years after the interaction

9. How do we keep your personal data secure?

We take appropriate technical and organisational measures to make sure that the data we hold is safe and secure.

We only allow your personal data to be used by individuals who need it to carry out their job and all of our employees and contractors are subject to confidentiality rules.

We regularly review our security controls and monitor for security breaches. We have processes in place to handle security breaches if they do happen.

10. Will we transfer any of your personal data outside of the UK?

We may need to do this from time to time. For example, if a supplier has computer servers in another country.

But we will only do this if:

  • That country meets data protection standards, as laid out by UK law. Such as, countries in the European Economic Area. Or,
  • We, or one of our third party data processors, have entered into a contract with an organisation outside of the UK, on terms approved by the UK’s data protection regulator. We also have assessed that country’s laws. Or,
  • You have clearly asked us to share your personal data with an organisation outside of the UK and we have explained the risks of doing so to you.

11. What are your data protection rights?

You have a number of rights relating to how we use your personal data.

Please contact us at DPO@stepchange.org to make a request.

We may need you to share extra detail so we can check who you are and understand what you need from us.

In most cases, we will respond within one calendar month. If there is a reason that this is taking us longer than that, we will let you know.

Your rights are:

  • To have access to, or a copy of, this privacy notice
  • To get copies of the information we hold about you
  • To get confirmation of how we use and/or have used your personal data
  • To find out how long we will continue to store your personal data
  • To update any information that is wrong, incomplete, or out of date
  • To delete or destroy data we hold about you if we no longer need it
  • To restrict the use of your personal data
  • To ask us to transfer your personal data to another organisation
  • To object to how we use your personal data
  • To take away any consent you have given us before
  • To ask for a human review where a decision has been made using a computer

There can be exemptions or restrictions for all of the above rights. If so, that could mean that we would not be able to do as you have asked. We will let you know if this is the case.

12. How can you complain about how we use your personal data?

There is a process you can follow if you are unhappy with how we have used your personal data.

Or -

  • If you are unhappy with how a data protection complaint or data protection request was handled, email DPO@stepchange.org with details

You may also raise any concerns with the Information Commissioner’s Office. They are the UK’s Data Protection regulator.

Visit their website to find out more about how to contact the ICO or call 0303 123 1113. Please note that the ICO expect you to have gone though our internal complaints process before raising a complaint with them.

13. Will we tell you about any changes in how your personal data is used?

We reserve the right to update this privacy notice at any time.

We may write to you to let you know if major changes are made to this notice.

We may also tell you in other ways, from time to time, about how we use your personal data.

We will only use your personal data for the reasons why we collected it, unless:

  • We reasonably think we need to use it for another purpose, and
  • That reason is compatible with the original purpose

If we need to use your personal data for a new reason, we will let you know and we will explain why we are allowed to do this by law.

This notice does not form part of any contract with you. We may update this notice at any time.

Published: July 2025. (Version 1).