Privacy Policy

1. Who We Are

First Flexi Lease is a trading name of Oak First Investments Ltd, registered in England and Wales (Company Registration Number: 9372347). We are authorised and regulated by the Financial Conduct Authority (FCA Registration Number: 835008).

For the purposes of UK data protection law, the data controller is:

If you have any questions about this Privacy Policy or how we use your personal data, please contact us using the details above.

2. What This Policy Covers

This policy applies to personal data collected through:

• our website
• contact forms, callback forms, quote forms and application forms
• email, telephone, SMS, WhatsApp and other communications with us
• customer onboarding and account management
• vehicle rental, flexi lease, rent-to-buy, lease and finance-related services
• complaints handling
• cookies and similar technologies
• vehicle tracking and telematics used in vehicles we own and supply

3. The Personal Data We Collect

Depending on how you interact with us, we may collect and use:

• your name, business name, postal address, email address and telephone number
• date of birth and address history where relevant
• information you provide in enquiry, quote, proposal or application forms
• vehicle preferences and agreement details
• identity and verification information
• driving licence, insurance and eligibility information where relevant
• employment details, income and financial commitments where relevant to a lease or finance application
• bank details (bank name, sort code, account number, account holder name) where relevant to a lease or finance application
• payment, billing and account information
• correspondence records and call notes
• complaint and dispute information
• website usage data, device data, IP address, browser type and cookie-related data
• marketing preferences
• vehicle tracking, location, mileage, servicing and maintenance-related telematics data where a vehicle supplied by us is fitted with a tracker

We only ask for personal data that is relevant to the service we are providing or the checks we need to carry out.

4. How We Collect Your Personal Data

We collect personal data:

• directly from you when you contact us or complete a form on our website
• when you speak to us by phone, email, SMS, WhatsApp or other channels
• when you request or enter into a rental, lease, finance-related or vehicle supply arrangement
• from cookies and similar technologies on our website
• from supplying dealers, delivery providers, finance companies, insurers, maintenance providers, breakdown providers and similar service partners where relevant
• from credit reference agencies and identity-check providers where relevant to soft checks or finance-related enquiries
• from regulators, law enforcement bodies, courts or professional advisers where necessary

5. How We Use Your Personal Data

We may use your personal data to:

• respond to enquiries and provide quotes
• arrange and manage rentals, leases, vehicle supply and related services
• verify your identity, address and eligibility
• carry out soft credit checks where relevant
• introduce you to external finance companies or funders where finance is requested or discussed
• administer agreements, payments, billing and account records
• arrange delivery, collection, servicing, maintenance, repairs and breakdown support
• contact you about servicing, maintenance, mileage or vehicle-related obligations
• monitor mileage and maintenance requirements on vehicles we own and supply
• locate and recover vehicles where payments have stopped, a vehicle is overdue, or we otherwise need to protect our assets
• investigate complaints, incidents, misuse, fraud, disputes and non-payment
• recover unpaid sums, including by using debt recovery or legal enforcement processes where necessary
• improve our website, services and customer experience
• keep internal records and support audit, legal and regulatory compliance
• send marketing communications where we are permitted to do so

We do not sell your personal data.

6. Our Lawful Bases for Processing

We rely on one or more of the following lawful bases under UK data protection law:

• Contract: where processing is necessary to take steps at your request or to enter into and perform an agreement with you.
• Legal obligation: where we need to comply with legal, tax, regulatory, fraud prevention or enforcement obligations.
• Legitimate interests: where we have a genuine business need to operate and improve our services, verify information, protect our vehicles and systems, monitor mileage and maintenance, recover debts, prevent misuse, investigate disputes, and defend or pursue legal claims, provided those interests are not overridden by your rights.
• Consent: where consent is required, for example for certain cookies or certain marketing activities.

Where we rely on consent, you can withdraw it at any time.

7. Credit Checks and Finance-Related Processing

Where relevant to your enquiry, quote, rental, lease or finance-related application, we may carry out checks to verify identity, address and eligibility.

These checks may include soft credit checks, which are generally used to help verify address details and assist with suitability or identity checks. Soft checks do not usually affect your credit file in the same way as a full lending application search.

Where finance is requested or discussed, we may also share your information with external finance companies, lenders or funders so they can assess whether they are able to offer finance or related services.

Credit Reference and Affordability Checks

To help us assess applications, prevent fraud, and meet our legal and regulatory obligations, we may obtain information about you from credit reference agencies (CRAs).

We obtain this information via Creditsafe, which uses its data partner TransUnion to supply consumer credit and identity data.

• Creditsafe Business Solutions Limited is authorised and regulated by the Financial Conduct Authority (FCA Firm Reference Number: 742313)
• TransUnion International UK Limited is authorised and regulated by the Financial Conduct Authority (FCA Firm Reference Number: 805757)

The information we receive may include data relating to your identity, credit commitments, payment history, and public record information. This data is used solely for legitimate business purposes, including creditworthiness assessment, identity verification, and fraud prevention, in accordance with applicable data protection laws.

Further information about how Creditsafe and TransUnion process your personal data can be found in their respective privacy notices:

• Creditsafe Privacy / Transparency Notice
• TransUnion CRAIN (Credit Reference Agency Information Notice)
• TransUnion Bureau Privacy Notice

8. Vehicle Tracking and Telematics

We install tracking devices in vehicles that we own and rent or lease out.

We use tracking and telematics data for legitimate business purposes, including:

• locating and recovering vehicles where payments have stopped or a vehicle is otherwise at risk
• monitoring mileage against agreed limits
• helping ensure maintenance and servicing is carried out in a timely manner
• protecting our vehicles and business from loss, misuse or unauthorised retention
• supporting the administration and management of the agreement

We will only use tracking data where it is lawful, proportionate and necessary for these purposes.

9. Who We Share Your Personal Data With

We may share your personal data with trusted third parties where necessary to provide our services, administer your agreement, protect our legal position, recover debts, or comply with legal and regulatory obligations. These third parties may include:

• supplying dealerships and vehicle manufacturers
• delivery, transport and logistics companies
• external finance companies, lenders and funders
• credit reference agencies and identity-check providers
• insurers, claims handlers and recovery providers
• payment processors and banking providers (including Stripe, our PCI-DSS compliant payment processor)
• maintenance, servicing, repair and breakdown providers
• transport-management companies that help coordinate servicing, maintenance or vehicle movements
• debt collection agencies, tracing agents, solicitors and courts where sums are overdue or recovery action is necessary
• IT, hosting, CRM, website, analytics and communications providers (including Convex, Vercel, Make.com, Resend and Lead Forensics)
• professional advisers such as accountants, auditors and legal advisers
• regulators, law enforcement agencies, HMRC and other authorities where required by law or where necessary to protect our rights

We only share information that is reasonably necessary for the relevant purpose.

10. Debt Recovery and Legal Enforcement

If payments become overdue or remain unpaid, we may share relevant personal data with debt collection agencies, tracing agents, solicitors, the courts, or other recovery partners in order to recover sums owed to us and protect our legal position.

This may include taking legal steps such as county court claims or other lawful recovery action where appropriate.

11. Servicing, Maintenance and Breakdown Support

We may share your contact and vehicle information with transport-management companies, maintenance providers, servicing agents, repairers and breakdown providers where needed to organise, book or manage servicing, maintenance, inspections, repairs or breakdown support.

This may include contacting you, or enabling those providers to contact you, to arrange bookings and vehicle-related support.

12. Marketing

We may use your contact details to send you information about our services where we are allowed to do so by law.

You can ask us to stop marketing at any time by:

• clicking the unsubscribe link in a marketing email
• replying STOP to a marketing text where that option is available
• contacting us using the details in section 1 of this policy

13. Cookies and Similar Technologies

Our website uses cookies and similar technologies to make the site work, improve performance and understand usage. When you first visit, a consent banner gives you the choice to accept or decline non-essential cookies.

We use Lead Forensics, a B2B visitor identification service, which operates under our legitimate interest in understanding which businesses visit our website. This service collects technical browsing data such as screen dimensions, page URL, referring website, browser type and a randomly generated visitor identifier.

Our website fonts are self-hosted and do not make requests to external font services. For full details on our cookie usage, please visit our Cookie Policy page.

14. International Data Transfers

Some of our service providers may store or process personal data outside the United Kingdom (including Convex, Stripe, Vercel, Clerk and Resend, which are based in the United States). Where your data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including the UK-US Data Bridge, Standard Contractual Clauses approved by the Information Commissioner's Office, or transfers to countries with an adequacy decision.

15. How Long We Keep Your Personal Data

We keep personal data only for as long as reasonably necessary for the purposes described in this policy, including to:

• deal with your enquiry
• manage any agreement with you
• maintain business, tax and accounting records
• resolve complaints and disputes
• recover debts and protect our legal rights
• comply with legal and regulatory requirements

As a guide, typical retention periods are:

When personal data is no longer required, we will securely delete it or anonymise it.

16. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:

• HTTPS encryption across the entire website
• PCI-DSS Level 1 compliant payment processing via Stripe (we never handle your card details)
• Secure, HTTP-only cookies for authentication where used
• Server-side validation and spam filtering on all form submissions

Sensitive financial information submitted through our lease proposal forms (including bank details and income information) is transmitted over an encrypted HTTPS connection to our processing systems. This data is not stored in our website database.

17. Your Rights

Under UK data protection law, you may have the right to:

• request access to your personal data
• request correction of inaccurate or incomplete data
• request deletion of your personal data
• request restriction of processing
• object to processing based on legitimate interests
• request transfer of certain personal data to you or another provider
• withdraw consent where processing is based on consent
• complain to the Information Commissioner's Office

To exercise your rights, please contact us using the details in section 1. We will respond within one calendar month.

18. Children

Our services are not directed at individuals under the age of 18. Vehicle lease agreements require the applicant to be at least 18 years old. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us so that we can delete it promptly.

19. Third-Party Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. You should read their own privacy notices before providing personal data to them.

20. Complaints

If you have any concerns about how we use your personal data, please contact us first so we can try to resolve the issue. You can reach us at enquiries@firstflexilease.com or visit our Complaints Policy page.

You also have the right to complain to the Information Commissioner's Office (ICO), which is the UK regulator for data protection matters:

If your complaint relates to a regulated financial service, you may also have rights to complain through the appropriate financial complaints process, depending on the nature of the product or service.

21. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page and the “last updated” date will be revised.