Privacy Policy
How 1310 Limited collects, uses, stores and protects your personal data in connection with the Phistos debt resolution platform.
Last updated: June 2024. This policy replaces any earlier version.
1. Data controller
The data controller for personal information processed through phistos.uk and portal.phistos.uk is:
1310 Limited
Registered in England & Wales
Data Protection Officer: [email protected]
We are registered with the Information Commissioner's Office (ICO) as a data controller. References to "we", "us" or "our" in this policy refer to 1310 Limited.
2. What personal data we collect
We collect and process the following categories of personal data in connection with the Phistos platform and the debt resolution process:
2.1 Identity and contact information
- Full name
- Date of birth
- Current and previous postal addresses
- Email address
- Telephone number(s)
2.2 Account and financial information
- Account reference number and history
- Outstanding balance and breakdown
- Payment history, including dates, amounts and methods
- Details of any payment plan arrangements
- Bank account details (where provided for direct debit setup — processed by our payment provider)
- Income and expenditure information (where provided as part of an affordability assessment)
2.3 Communications and interaction data
- Emails, letters and other correspondence with us
- Records of portal login events and actions taken
- Dispute and complaint submissions and our responses
2.4 Special category data (where disclosed)
We may process health or mental health information where you voluntarily disclose it in the context of a hardship, vulnerability or Breathing Space referral. We process such data only with your explicit consent and handle it with additional care in line with our obligations under UK GDPR Article 9.
2.5 Technical and usage data
- IP address and device type (for security and fraud prevention)
- Browser type and version
- Portal access logs and session metadata
We do not use tracking cookies or third-party analytics scripts on the Phistos website. Only strictly necessary session cookies are used on the portal to maintain your secure login.
3. How we use your personal data
| Purpose | Lawful basis |
|---|---|
| Managing and recovering the outstanding balance on your account | Legitimate interests (recovering money lawfully owed to us) |
| Setting up and administering payment plans | Performance of a contract / legitimate interests |
| Verifying your identity when you access the portal | Legitimate interests (security and fraud prevention) |
| Assessing affordability and processing hardship requests | Legitimate interests; explicit consent (for special category health data) |
| Responding to disputes, queries and complaints | Legal obligation / legitimate interests |
| Reporting to credit reference agencies | Legitimate interests (industry-standard credit reporting) |
| Complying with legal and regulatory obligations (e.g. anti-money laundering, HMRC) | Legal obligation |
| Processing payments securely | Performance of a contract / legitimate interests |
| Preventing and detecting fraud | Legitimate interests / legal obligation |
| Maintaining audit records of account actions | Legal obligation / legitimate interests |
Where we rely on legitimate interests as our lawful basis, we have carried out a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You have the right to object to processing carried out on a legitimate interests basis — see section 7 below.
4. Who we share your data with
We share your personal data only where necessary and always on a minimum-necessary basis. Categories of recipients include:
4.1 Credit reference agencies
We report account information, including defaults and payment arrangements, to UK credit reference agencies (Experian, Equifax and/or TransUnion) in line with industry-standard practice. This information may affect your credit file. You have the right to query any information reported — see section 7.
4.2 Payment processors
Card payments and direct debit mandates are processed by regulated third-party payment service providers. These providers process your payment details as data processors acting on our instructions and under appropriate data processing agreements.
4.3 Debt advice organisations (only at your request)
If you ask us to communicate with a debt adviser or free advice organisation on your behalf, we will share relevant account information with them. We only do this with your explicit agreement.
4.4 Legal and regulatory bodies
We may disclose personal data to courts, regulators (including the ICO, FCA or Ofcom) or law enforcement agencies where we are legally required to do so, or where we believe disclosure is necessary to protect our legal rights or prevent harm.
4.5 Professional advisers
Our solicitors, auditors and other professional advisers may process your data where necessary for the services they provide to us, always under confidentiality obligations.
4.6 Technology providers
Our hosting, infrastructure and software providers may process your data as data processors. All providers are subject to UK GDPR-compliant data processing agreements. We do not use providers whose primary data centres are outside the UK or European Economic Area without appropriate safeguards in place.
We do not sell your personal data to any third party. We do not share your data for marketing purposes.
5. How long we keep your data
| Data category | Retention period |
|---|---|
| Account and debt resolution records | 6 years from the date of the last action on the account, in line with the Limitation Act 1980 |
| Payment records | 6 years from payment date (tax and regulatory obligations) |
| Correspondence (emails, letters, portal messages) | 6 years from the date of the correspondence |
| Complaint records | 6 years from the date the complaint was closed |
| Audit logs (portal access and actions) | 2 years from the date of the action |
| Special category health data (hardship / Breathing Space) | As long as strictly necessary for the purpose disclosed, then deleted — typically no more than 12 months after the relevant arrangement ends |
| Technical and usage data (IP logs etc.) | 90 days |
After the applicable retention period, personal data is securely deleted or irreversibly anonymised.
6. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or disclosure. These measures include:
- Encryption of data in transit (TLS) and at rest
- Role-based access controls limiting staff access to the minimum necessary
- Multi-factor authentication for staff accessing customer data systems
- Regular security assessments and penetration testing
- Formal incident response procedures
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and will notify you directly where the risk is high.
7. Your rights
Under UK GDPR you have the following rights in relation to your personal data. To exercise any of these rights, contact us at [email protected].
Right of access
You can request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.
Right to rectification
If any of the personal data we hold is inaccurate or incomplete, you can ask us to correct it.
Right to erasure
You can ask us to delete your personal data in certain circumstances — for example, where we no longer need it for the purposes for which it was collected. This right does not apply where we have a legal obligation to retain the data (for example, financial records required under tax law).
Right to restriction
You can ask us to restrict how we use your data in certain circumstances, for example while a dispute is being investigated.
Right to portability
Where we process your data on the basis of consent or contract and by automated means, you can ask us to provide it in a structured, machine-readable format.
Right to object
You can object to processing based on legitimate interests at any time. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights related to automated decision-making
We do not use fully automated decision-making that produces legal or similarly significant effects. Where we use automated tools to support credit or affordability assessments, a member of staff reviews and can override the output.
Right to withdraw consent
Where we process your data based on consent (for example, special category health data), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
8. Right to complain to the ICO
If you are not satisfied with how we have handled your personal data or a data rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would ask that you contact us first so that we have an opportunity to address your concern before you escalate to the ICO.
9. Cookies
The phistos.uk marketing website does not use any tracking or analytics cookies. The portal at portal.phistos.uk uses strictly necessary session cookies only — these are required for your secure login to function and are deleted when you close your browser. No consent is required for strictly necessary cookies.
10. Changes to this policy
We may update this privacy policy from time to time. The date at the top of this page shows when it was last revised. If we make material changes, we will notify you by email or by a prominent notice on the portal. Continued use of the portal after changes come into effect constitutes acceptance of the updated policy.
11. Contact our Data Protection Officer
For any questions about this policy or about how we handle your personal data, please contact our Data Protection Officer at:
We aim to acknowledge all data enquiries within 5 working days and to respond in full within one calendar month.