Privacy & cookies notice

Privacy and Cookie Policy

Contents

Use the links below to take you directly to the section of the Policy you wish to read:

Introduction – About this privacy and cookie policy

This Policy gives you information about how PRA Group (UK) Limited collects and uses your personal data through your use of our website at https://www.pragroup.co.uk (the “Website” and our mobile app PRA Group (the “App”) (the “Platforms”).

If you are a customer of PRA Group (UK) Limited and/or PRA Group UK Portfolios Ltd, you will have also received our Fair Processing Notices when your account was purchased by the legal owner of your debt. These notices explain how PRA Group (UK) Limited and PRA Group UK Portfolios Ltd use your personal data to manage your account. If you want to read these Fair Processing Notices, please visit: Fair processing notice | PRA UK. If you are a user of the App, you will find them in the support section of your online account.

For our customers, this Policy supplements those Fair Processing Notices and provides additional information about how your personal data is used when you use our Platforms to manage your account online or make a payment via your online account using our Platforms.

For both our customers and any other persons visiting our Website, this Policy also provides information about how your personal data is used when you use our Website to contact us (e.g. via email, letter, phone, SMS, or Live Chat), complete forms or surveys, give consent for receiving marketing communications from us or respond to information requests.

This Policy explains:

  • how we use your personal data,
  • who we share it with,
  • your rights, and
  • use of Tracking Technologies.

 

If you plan to make a payment on the Platforms, please read the PRA Group Website & App Terms of Use and this Policy first.

Important: We may update this Policy from time to time. Please check it each time you visit.

About Us

The Platforms are operated by PRA Group (UK) Limited, Level 11, Riverside House, 2A Southwark Bridge Road, London, SE1 9HA (“PRA UK”). PRA UK is also the data controller responsible for your personal data. In this Policy, PRA UK may be called “we,” “us,” or “our.” Together with other companies in our group, we are called “PRA Group.”

How We Collect Your Personal Data

We collect personal data in several ways:

  • Direct interactions – You provide data when you browse our Website, use our App, fill in forms or contact us. This includes when you:
    • Log into your account
    • Speak to an agent
    • Use our Live Chat facility on the Platforms
    • Send us an SMS or access the communications we send to you by SMS
    • Email us
    • Request marketing messages
    • Complete a form or survey
    • Give feedback

 

  • Automated technologies – When you use the Platforms, we collect Technical Data about your device and activities through cookies, server logs, and similar technologies. These technologies are used only on our Platforms (and any other related services we operate) to improve functionality, performance, and analytics. See our Tracking Technologies Policy below for details.

 

  • Third parties and public sources – We may receive data from:
    • Analytics and advertising providers (e.g., Google)
    • Credit Reference Agencies (e.g., Experian, Equifax, TransUnion)
    • Payment service providers (e.g., Elavon, Payit by NatWest, Barclaycard Smartpay and Bottomline Technologies Limited)

What do we do with your information

We use the information we process about you for these purposes.
Purpose Explanation Legal basis
Debt collection We process your personal data to collect your debt, including processing your payments. We might also contact you to let you know about changes to our services. Our legitimate interest
Online accounts We process your data to provide you with access to your online account and its functionalities. Contract Our legitimate interest
Contact If you give us your name and contact details (address, phone, or email) and ask us to contact you, we will process your data for that purpose. We will also process your data if you contact us directly (e.g. by sending a letter, calling, or sending an e-mail or via Chat). Our legitimate interest
Improve your experience on our Platforms We make sure the Platforms work well on your device, and we run tests to make it better. Our legitimate interest
Marketing We may share information about our products and services, as well as selected third-party products and services that we believe may be of interest to you. We might also contact you to let you know about changes to our services. Your consent
Fraud and crime prevention We process data to ensure the security of our Website, services and to prevent crime. Our legitimate interest
To discuss your experience with us Based on feedback you provide. Our legitimate interest

Marketing Communication

We want to support your financial wellbeing, and to let you know about products and services that could help you meet your needs and goals. Where you have given us your consent, we may process your personal data to send you marketing communications about our products and services, as well as selected third-party products and services, that you might be eligible for.

You can provide your consent in your online account on our Platforms or by phone. When you provide consent, you can choose your preferred contact method (such as email, SMS, or phone). Consent is specific to each channel.

You can withdraw your consent or change your preferred contact method anytime:

  • by updating your preferences in the Marketing Preferences section in your online account on our Platforms,
  • by phone.

 

You can also find a link to the Marketing Preferences section in your e-mail communication. Withdrawing consent will not affect the lawfulness of processing carried out before your withdrawal.

We do not share your personal data with third parties for their own marketing purposes. However, our marketing communications may include information about third-party products or services offered in partnership with us.

For more details about your rights, including the right to withdraw consent, please see the Your Rights section of this Privacy Policy.

Security of Your Personal Information

We use strong security measures to protect your personal data from being lost, misused, accessed without permission, changed, or shared by mistake. Access to your data is limited to employees, agents, contractors, and third parties who need it for business purposes. They can only use your data following our instructions and must keep it confidential.

Important to know:

  • Sending information over the internet is never completely secure. We cannot guarantee the safety of data you send to us online, so you share it at your own risk.
  • If we give you login details, including a password, or if you choose them yourself, you are responsible for keeping them private. We are not liable for any unauthorised use of your login details on the Platforms.

 

We have procedures to handle suspected data breaches. If a breach happens and the law requires it, we will inform you and the relevant regulator.

Disclosing Your Information

We may share your personal information with any member of PRA Group if there is a legal reason to do so. This includes our subsidiaries, our holding companies, and their subsidiaries.

We may also share your personal information in the following situations:

  • Legal obligations: with authorities when required by law, or to prevent fraud and money laundering.
  • Contractual obligations: with the legal owner of your debt and Credit Reference Agencies (e.g., Experian, Equifax, TransUnion).
  • Service providers: if you are our customer, please visit: Fair processing notice | PRA UK and read the dedicated section on data recipients which explains the extent to which your data will be shared. If you are not our customer, we may share your data with third parties who act as data processors for us, including companies used to send information to you or that provide us with support and technical assistance, IT service providers, companies that assist us with marketing, market and product research, and to develop future business service offerings which support your needs.
  • Payment processing: with payment service providers processing payments made through the Platforms.
  • Protecting our rights: when necessary to enforce or protect our legal rights.
  • Other disclosures: we may share data with other recipients for purposes covered by our Fair Processing Notices. For more information – check out our Fair processing notice | PRA UK.

Transfer of Data Outside the United Kingdom

Your personal data may be transferred to a recipient in a third country. A third country is a country located outside the United Kingdom, including the United States of America and the European Economic Area. A third country may not have data protection laws equivalent to those in the UK. In such case, we will take all necessary steps to ensure the safety and security of your personal data in accordance with applicable data protection laws.

We may only transfer your personal data outside the UK if:

  • the UK Government has confirmed that the country to which we transfer the personal data ensures an adequate level of protection for your rights and freedoms; or
  • appropriate safeguards are put in place such as binding corporate rules or standard contractual clauses approved for use in the UK.

 

At your request we will electronically provide you with a copy of the concluded contractual provisions and information on the scope of your personal data that has been transferred. Where necessary and upon explicit request, a paper copy of this information may be sent to you.

Data Retention – How Long We Keep Your Personal Data

Time for which we will keep your personal data depends on the purpose for which it was collected.
Purpose Data Retention
Debt collection Generally, your personal data will be retained by us while we service your outstanding debt until 6 years after your account is closed, however different periods might apply. Please check our Fair Processing Notices for more information.
Online accounts For the duration of time that your online account is active, being while we service your outstanding debt and 1 day thereafter.
Contact If you are our customer, we will store the data for a period of time consistent with the purpose of the debt collection. If you are not our customer, we will store the data for up to 6 years.
Improve your experience on our Platforms For the duration of the storage of performance cookies or SDKs. Please check our Tracking Technologies Policy below for more detailed information.
Marketing We will process your data from the moment you give your consent until you withdraw it.
Fraud and crime prevention If you are our customer, we will store the data for a period of time consistent with the purpose of the debt collection. If you are not our customer, we will store the data for up to 6 years
To discuss your experience with us If you are our customer, we will store the data for a period of time consistent with the purpose of the debt collection. If you are not our customer, we will store the data for up to 6 years
In some cases, you can ask us to delete your data. See Your Rights below for details. Once the retention period has ended, we will either delete or anonymise your data. If we decide to keep some data for research, analysis purposes, or to improve our services, we anonymise it to prevent identifying you. This involves removing information such as your name, contact details, and other personal data that could lead to your identification. We have implemented additional measures to prevent re-identification. Our anonymisation processes are regularly reviewed to help ensure the security of your data. We do not use anonymised data to make decisions about you as an individual.

Third Party Personal Information

If you give us personal information about someone else, you confirm that they have authorised you to act for them. You also confirm that you have told them who we are and explained why their personal information will be processed, as described in this Policy.

Important: You must have permission before sharing someone else’s data.

Your Rights

Under data protection laws, you have certain rights regarding your personal data. Please note that many of these rights are not absolute. We may not fully comply with your request if, for example, the law requires us to process your data in a way that conflicts with your request or if exemptions under data protection law apply. If this happens, we will explain when you make your request. Your rights include:
  • Right to access: You can ask if we process your data, ask for information on how we process it and/or ask for a copy of the personal data we hold about you.
  • Right to rectification: if any personal data we hold is incorrect, let us know so we can update it.
  • Right to erasure (right to be forgotten): You can request that we delete your personal data.
  • Right to restrict processing: You can ask us to limit how we use your personal data.
  • Right to data portability: You can receive your personal data in a structured, machine-readable format and ask us to transfer it to another controller.
  • Right to object: You can object to how we use your data, including for direct marketing.
  • Right not to be subject to automated decisions: If you are our customer, please visit: Fair processing notice | PRA UK and read the dedicated section on profiling and automated decision-making which explains the extent to which your data will be subject to profiling and automated decision-making and your rights where you think an automated outcome is wrong or unfair. If you are not our customer, please note that your data will not be subject to profiling or automated decision-making.
  • Right to withdraw consent: If we process your data based on consent, you can withdraw it at any time. This will not affect processing done before withdrawal. If you wish to withdraw marketing consent you can update this information in the Marketing Preferences section of your online account or by phone.
  • Right to complain: if you consider that the processing of your personal data by us infringes your rights or applicable data protection laws. You can find our contact details in the section headed Contact us.

How to exercise your rights?

You can exercise your rights by contacting us in writing, by phone, SMS, or electronically, or through an authorised third party. For security reasons, we may ask for more information to confirm your identity.

Right to complain to Supervisory Authority:
If you believe we have processed your data incorrectly, you can complain to the Information Commissioner (ICO):

  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Website: https://ico.org.uk

 

Please note that the Information Commissioner now expects that you will have given us an opportunity to resolve your concerns, before raising the matter with them.

Webserver Logs

When using our Platforms, we automatically collect some information and store it in log files for statistical purposes. These logs include standard details such as your IP address, browser type, internet service provider, and operating system.

This information is used only by PRA UK in accordance with this Policy. We do not share or sell it to third parties. We use it to analyse trends, manage the Platforms, and understand general information about our users.

Tracking Technologies Policy

On our Platforms we use cookies and Software Development Kits (SDKs) as well as other similar technologies (“Tracking Technologies”) to make our Platforms work better and to provide useful information to platform owners.  We use different technologies depending on whether you interact with our Website or our App. The sections below explain the Tracking Technologies used on our Website, followed by the Tracking Technologies used in our App.

Website Tracking Technologies

On our Website we use cookies, which are small text files that websites you visit and use place on your device. Cookies set by us are called first-party cookies. We also use third-party cookies, which come from other domains. Our cookies are primarily used for performance monitoring and analytics to improve your experience on our In the future, we may also use cookies for marketing purposes to further improve your experience, but when we do so, we will update this Policy to explain more about this type of cookie. See below for further details about the type of cookies we currently use.

Strictly Necessary Cookies

These cookies are essential for the Website to work. You cannot turn them off. They are usually set when you take actions like setting your privacy preferences, logging in, or filling out forms. You can change your browser and App settings to block these cookies or alert you about them, but some parts of the Website will not work if you do. These cookies do not store any information that can identify you personally.

How to Delete Cookies while using our Website

To remove the cookies saved while using our Website, please follow the steps below.

How you can Manage Tracking Technologies on the Website

You can change your preferences or withdraw your consent in respect of our opt-in Tracking Technologies at any time. To do this, click on the shield icon in the bottom left corner of our Website, which will allow you to manage your cookie settings. Cookies that are essential for the Website to work do not need your consent and you cannot turn them off.

App Tracking Technologies

In our App we use Software Development Kits (SDKs). SDKs are small pieces of software we add to the App to help it work properly.

We use SDKs to:

  • make sure the App works correctly and securely
  • support key features such as logging in and making payments
  • understand how people use the App so we can improve it
  • identify and fix technical problems

 

Some SDKs need to process information from your device to do this. This may include:

  • your device type and settings
  • technical identifiers (like an ID number linked to your device)
  • how you use the app (for example, which screens you visit)

 

We only use the information that is needed for each purpose.

List of SDKs used in our App

The tables below show the SDKs we use in our App, what they do, and the type of information they process.

Strictly Necessary SDKs

These SDKs enable core app functionality, including networking, content display, system integration, and background processing on both iOS and Android platforms. They also protect your data through secure authentication methods such as Face ID and Touch ID, and support the internal operation of our App services. Finally, they allow us to manage your consent preferences and privacy choices, including control over tracking permissions. These SDKs are essential for the App to function and cannot be switched off.
Vendor SDK / Group SDK used Platform Lifespan
Apple Core iOS system frameworks (e.g. UIKit, Foundation, Core Graphics, Security, WebKit, Networking libraries) First party (device operating system) iOS No independent storage. Data processed on device or retained in line with core account and security records
Apple Security & Authentication frameworks (e.g. CryptoKit, Local Authentication) First party (device operating system) iOS Processed on device. Authentication data is not stored by PRA systems
Apple System runtime and processing libraries (e.g. libswift, libSystem) First party (device operating system) iOS No independent storage. Required for app operation only
Google AndroidX Libraries First party (device operating system) Android No independent storage. Required for app functionality
Google Firebase Core components Third party iOS Retained only as required for service operation and in line with system configuration
Google Supporting libraries (e.g. Promises, transport components) Third party iOS No independent storage. Supports internal processing only
OneTrust CMP SDK Third party iOS / Android Retained for the duration of your consent preferences and in line with preference records
Apple App Tracking Transparency First party (device operating system) iOS Stored in line with device-level privacy settings

Functional SDKs

These SDKs power the App’s core features, including push notifications, in-app messaging, customer support chat, and calendar and reminder functionality. They also handle media display, image loading, animations, and QR/barcode scanning to ensure a smooth user experience. Finally, they support behind-the-scenes operations such as secure data communication, remote configuration of app settings, and A/B testing to help us improve usability. Functional SDKs can be enabled or disabled through your preferences; they rely on your consent.

Vendor SDK / Group SDK used Platform Lifespan
Google Firebase Cloud Messaging Third party Android Retained while notifications are active or until preferences are changed
Google Firebase Remote Config Third party iOS / Android Retained while feature configuration is active
Google Firebase A/B Testing Third party iOS Retained for the duration of the testing period
Mapp Engage (notifications and messaging) Third party iOS / Android Retained until preferences are changed or messaging is no longer active
Apple EventKit / EventKit UI First party (device operating system) iOS Processed on device and subject to user device settings
Apple PhotosUI First party (device operating system) iOS No independent storage by PRA. User-controlled via device permissions
Airbnb Lottie / lottie-ios Third party iOS / Android No personal data stored
Coil‑KT Coil Third party Android No personal data stored
Square OkHttp / Retrofit Third party Android No independent storage. Supports secure communication only
JetBrains / Koin Kotlin support libraries Third party Android No personal data stored
Google ZXing (Barcode Scanner) Third party Android Data processed only at point of use and not stored

Performance SDKs

These SDKs help us understand how the App is used and measure key events without tracking you across other apps. They also monitor App speed, detect crashes, and provide performance diagnostics so we can fix issues quickly. Performance SDKs can be enabled or disabled through your preferences; they rely on your consent.
Vendor SDK / Group SDK useds Platform Lifespan
Google Firebase Analytics Third party iOS / Android Up to 14 months, after which data is deleted or anonymised
Google Firebase Crashlytics Third party iOS / Android Up to 90 days
Google Firebase Performance Monitoring Third party Android Up to 14 months (aggregated performance data)
Apple MetricKit First party (device operating system) iOS Short-term diagnostic data (typically up to 90 days)
Google Google Ads On-Device Conversion Third party iOS Processed on device and retained only in aggregated form
Google Analytics support components (e.g. GoogleAppMeasurement, DataTransport) Third party iOS Supports analytics data retention (aligned to Firebase Analytics – up to 14 months)

How you can Manage Tracking Technologies in the App

The App does not use traditional web cookies. However, it may store certain information locally on your device, such as security tokens, temporary files, and settings, to ensure the App functions correctly.

You can change or withdraw your consent in respect of our opt-in Tracking Technologies at any time by going to:

Profile → App settings → Data consent

SDKs that are essential for the App to work do not need your consent and you cannot turn them off.

Android Devices

Android devices allow users to manage an individual app’s stored data directly through device settings.

You can remove locally stored App data by:

  1. Opening the Settings app
  2. Finding Apps (or Applications)
  3. Selecting the PRA Group App
  4. Choosing Storage
  5. Using one of the following options:
    • Clear Cache – removes temporary files only
    • Clear Data / Clear Storage – removes all App‑related data, returning the App to its default state
 

After clearing data, you may need to sign in again.

You can continue to manage your account as normal once the App restarts.

Changing your tracking or analytics choices on Android:

Because Android allows you to reset the App’s stored data from Settings, you can change your preferences at any time by clearing the App’s data and then reopening it. When the App starts again, you will be presented with the cookie or tracking choices available for your device and App version.

iOS Devices (iPhone)

iOS does not allow individual apps to selectively delete specific stored data (such as the equivalent of cookies). All App‑related local data is removed only when the App itself is deleted.

To remove stored data on iOS:

  1. Press and hold the App icon
  2. Tap Remove App
  3. Confirm Delete App

 

When the App is deleted, all associated temporary files, identifiers, and stored settings are removed.

You can then reinstall the App from the App Store.

When you reinstall and open the App, you will be shown any applicable cookie or tracking choices again.

Using the App after rejecting optional tracking on iOS:

If you reinstall the App and are shown a screen asking whether you accept additional tracking, you can select “Reject all” and still continue to use the App to manage your account. Essential functionality will always remain available.

Third-Party Tracking Technologies Used on our Platforms

Google Analytics

We use Google Analytics cookies to understand how visitors use our Website. Google Analytics uses cookies, but on our Website, IP anonymisation is enabled. This means your IP address is masked and cannot be linked to other Google data.

If you choose to opt in to non-essential cookies using our cookie banner, we use Google Analytics to collect general, anonymised statistics. This includes page visits, actions on the Website, time spent, how you arrived, clicks, and browser and device details.

Google may process this data on servers in the U.S. For more details, visit Google’s Privacy Policy for Partners (www.google.com/policies/privacy/partners).

Google Firebase

In our App we use Firebase, a service provided by Google, to collect information about how customers use the App and to improve its performance and reliability.

We use these services to:

  • understand how the App is used;
  • measure performance and key actions within the App;
  • identify and fix technical issues.

 

Where Google services are used (including Firebase and limited measurement functionality such as Google Ads On‑Device Conversion):

  • data is processed on your device where possible;
  • any information collected is aggregated and does not identify you personally;
  • we do not use this information to track you across other apps or services;
  • we do not use SDKs in the App for advertising or marketing purposes.

 

We do not currently use SDKs in the App for marketing purposes. If this changes, we will update this Policy and obtain your consent where required.

MAPP (Webtrekk)

MAPP is a web analytics service provided by Webtrekk GmbH in Berlin, Germany. It collects data in an anonymous or pseudonymised form.

If you choose to opt-into non-essential cookies using our cookie banner, we use Webtrekk to ensure the security and integrity of the Platforms.. Data collected includes:

  • Device, operating system, and browser details
  • Shortened IP address
  • City-level location
  • Pages visited and time spent
  • Referrer site and campaign details
  • Clicks and interactions such as videos, FAQs, logins, and payments
 

For questions, contact datenschutz@webtrekk.com. More details: Webtrekk Privacy Notice (https://www.webtrekk.com/privacy-notice.html).

Visual Website Optimiser (VWO)

VWO, provided by Wingify Software Private Limited, uses tracking technologies to test and improve Platforms usability. Data is collected in an anonymised form.

If you accept additional tracking technologies, VWO places an anonymous ID on your device to track usage. No personally identifiable information is recorded.

For questions, contact privacy@wingify.com. More details: VWO Privacy Policy (https://vwo.com/privacy-policy).

Contact Us

PRA Group (UK) Limited
Level 11, Riverside House
2A Southwark Bridge Road
London, SE1 9HA

 

 

Contact our Data Protection Officer
If you need to contact our Data Protection Officer, you can reach them:

 

 

Our EU/EEA Representative
We have appointed PRA Group Polska Holding Sp. z o.o. as our representative for EU/EEA consumers.