This site is for Own New Partners only|Click here if you are looking for a new home with Own New
Privacy Policy
Our privacy policy and how we use your data
Last updated: April 2025
1. Introduction
Market Mortgage Ltd (trading as Own New), registered in England & Wales, Company number 10821229 (“we”, “us”, “our”), operates the Own New Partner Portal (“Pulse”) — a B2B platform for property developers (builders) and mortgage brokers.
Market Mortgage Ltd is the data controller for personal data processed through Pulse. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy explains what personal data we collect, why we collect it, how we use and share it, and your rights. By creating an account and logging in to Pulse, you acknowledge that you have read this policy.
This policy should be read alongside our Cookie Policy and Terms of Service.
2. Information We Collect
2.1 User account data
When you register for a Pulse account or are added as a team member, we collect:
- Full name and email address
- Organisation membership and role within that organisation
- IP address and browser user agent, captured automatically by our authentication system on each session
2.2 Lead and borrower data
Leads represent prospective homebuyers submitted via builder websites, widgets, or directories. We collect and store on behalf of our builder and broker partners:
- First name, last name, email address, phone number
- Property price of interest, deposit amount
- Development of interest and enquiry message
- Lead source (e.g. website, widget, directory, mortgage calculator)
2.3 Letter of Approval (LoA) data
When brokers submit a Letter of Approval for a customer, we collect:
- Customer names (up to two applicants) and customer email address
- Full property address (street, town, postcode, county) and purchase price
- Solicitor details (name, email address, and firm name)
- Mortgage identifier (MMID) and the submitting broker's details
2.4 Partner application data
When a builder or broker applies to join the Own New network via the /become-a-partner form, we collect:
- First name, last name, email address, company name
- Companies House number and FCA number
- Number of active developments and selected plan
2.5 Contact form data
When you submit the contact form, we collect your first name, last name, email address, and message. This data is transmitted to us by email only and is not stored in the Pulse database.
2.6 Technical data
We automatically collect technical data when you use Pulse, including IP addresses, browser user agents, page views, and in-app events. See section 5 (Third-Party Service Providers) for details of the analytics and error-monitoring tools that process this data.
3. How We Use Your Information
| Data category | Purpose | Lawful basis |
|---|---|---|
| User account data | Create and manage your account; authenticate you; send transactional emails (OTP codes, notifications) | Contract — necessary to provide the service you have signed up for |
| Lead/borrower data | Distribute leads to assigned broker firms; track lead status and outcomes; generate reporting for builder partners | Contract — processing is necessary to perform the partner relationship |
| LoA data | Issue Letters of Approval; satisfy FCA record-keeping requirements for regulated mortgage activity | Contract and Legal obligation — FCA regulatory requirements for brokers |
| Partner application data | Process applications to join the Own New network; conduct due diligence (Companies House, FCA register) | Legitimate interest — vetting prospective partners before granting platform access |
| Technical / analytics data | Understand platform usage; identify and fix errors; improve features | Legitimate interest — platform maintenance and improvement |
4. Borrower (Homebuyer) Data
Borrower data (section 2.2) is not collected directly from homebuyers. It is submitted by our builder partners — typically captured on their own websites or via an Own New-provided widget — and transferred to Pulse on the builder's behalf.
Once a broker firm is assigned to a lead, that firm gains access to the borrower's contact details and enquiry information so they can make contact. Broker assignment is irreversible: once a broker firm has been assigned to a lead, the assignment cannot be undone (to prevent re-sharing or un-sharing of borrower personal data in a way that could breach data protection obligations).
Builders with the owner or admin role can view full borrower PII. Team members with the member role see redacted email addresses and phone numbers when viewing leads.
Borrowers who wish to access, correct, or erase their data held within Pulse should contact us at [email protected]. Note that data shared with Zoho CRM (our primary CRM system) persists independently — see section 8 (Data Retention) below.
5. Third-Party Service Providers
We share personal data with the following sub-processors. All sub-processors are contractually required to process data only on our instructions and in accordance with UK GDPR requirements.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Zoho CRM (zoho.eu) | Customer relationship management | User profiles, leads, LoA records, contacts, training qualification status | EU |
| PostHog (eu.posthog.com) | Product analytics | User ID, page views, in-app events, browser metadata | EU |
| Sentry (de.sentry.io) | Error monitoring and session replay | Errors, stack traces, and session recordings (approximately 10% of sessions) | EU (Germany) |
| Zoho PageSense (zoho.eu) | Heatmaps and session recording | User interactions and page content | EU |
| Mapbox | Geocoding for development locations | Development postcodes only — personal addresses are not sent to Mapbox | US |
| Resend | Transactional email delivery | Email address and OTP codes | US |
| Cloudflare R2 | File storage | Training certificates, PDFs, and marketing assets | TBC |
6. Data Sharing
We share personal data in the following circumstances:
- Assigned broker firms:When a lead is assigned to a broker firm, that firm's owner and admin users can access the borrower's full contact details and enquiry information. Assignment is permanent (see section 4).
- Zoho CRM: Lead data, LoA records, user profiles, and contact information are synchronised to Zoho CRM as our primary record system for partner relationship management.
- Analytics and error monitoring providers: Usage data and error data are shared with PostHog, Sentry, and Zoho PageSense as described in section 5.
- Legal or regulatory requirements: We may disclose personal data where required by law, court order, or regulatory authority (including the FCA or ICO).
We do not sell personal data to third parties, and we do not share personal data with third parties for their own marketing purposes.
7. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction:
- All data is transmitted over encrypted HTTPS connections.
- Database access is restricted to authorised application infrastructure; no direct public database access is permitted.
- Role-based access controls limit which users can view sensitive PII: email addresses and phone numbers are redacted for member- role users viewing lead records. Only owner and admin roles have access to full borrower contact details.
- Authentication uses one-time passwords (OTP) sent to verified email addresses; no static passwords are stored.
- Session recordings captured by Sentry cover approximately 10% of sessions and are subject to Sentry's security standards.
Despite these measures, no system is completely secure. If you discover a security vulnerability, please contact us at [email protected] immediately.
8. Data Retention
We retain personal data for as long as necessary to provide the service and meet our legal and regulatory obligations:
- Account deletion:When a Pulse account is deleted, associated session records, user profiles, training records, certificates, and evidence downloads are deleted by cascade. However, audit log entries retain a snapshot of the actor's name even after account deletion (the actor ID is nulled).
- Training certificate snapshots: Name and email address snapshots embedded in issued certificates persist after account deletion, as they form part of the immutable certificate record.
- Zoho CRM records: Lead, LoA, and contact records synchronised to Zoho CRM are not deleted when a Pulse account is deleted. Zoho records persist independently and are subject to Own New's separate data retention practices within Zoho. Individuals who wish to request deletion of Zoho records should contact us directly (see section 13).
- No automated cleanup: There are currently no automated cron jobs that delete old lead or LoA records. Retention periods for these records will be defined and implemented in a future update to this policy.
9. Your Rights Under UK GDPR
Under UK GDPR, you have the following rights regarding personal data we hold about you:
- Right of access: You may request a copy of the personal data we hold about you (a Subject Access Request).
- Right to rectification: You may request correction of inaccurate or incomplete personal data.
- Right to erasure: You may request deletion of your personal data where there is no legitimate reason for us to continue processing it. Note that some data (e.g. LoA records required for FCA compliance, Zoho CRM records) may be retained despite such a request.
- Right to restriction: You may request that we restrict processing of your data in certain circumstances (e.g. while a rectification request is being assessed).
- Right to data portability: Where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of the data you provided to us.
- Right to object: You may object to processing carried out on the basis of legitimate interest. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.
To exercise any of these rights, please email [email protected]. We will respond within one calendar month. We may need to verify your identity before processing your request.
Note: There is currently no automated Subject Access Request mechanism in Pulse. All requests are handled manually.
10. International Transfers
Most of our sub-processors operate within the EU/EEA and process data under the UK GDPR adequacy decision for EU-based transfers. Two sub-processors operate in the United States:
- Mapbox(geocoding): Only development postcodes are sent — no personal addresses or names. The limited nature of the data and its non-personal character reduces the transfer risk.
- Resend (transactional email): Email addresses and OTP codes are transferred to Resend in order to deliver authentication emails. Resend participates in the UK International Data Transfer Agreement (IDTA) framework.
The storage location for Cloudflare R2 (certificates and PDFs) is to be confirmed. We will update this policy once confirmed.
11. Children's Data
Pulse is a business-to-business platform intended solely for use by FCA-regulated mortgage brokers, property developers, and their staff. It is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us at [email protected] so we can delete it.
12. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page.
Where changes are significant, we will take reasonable steps to notify active users (for example, via an in-app notice or email). Continued use of Pulse after a policy update constitutes acceptance of the revised policy.
13. Contact & Complaints
If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us:
Market Mortgage Ltd (trading as Own New)
Email: [email protected]
Company number: 10821229
Registered in England & Wales
If you are not satisfied with our response, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Market Mortgage Ltd (trading as Own New) is registered in England & Wales. Registered Company number 10821229. Market Mortgage Ltd administers the Own New scheme and is not regulated by the FCA. Users of the scheme should seek independent advice from a qualified and regulated mortgage broker before making any decisions.