StepEx

Privacy Policy

Last updated: 20 January 2026

Step Exchange Ltd ("StepEx", "we", "us", or "our") is committed to protecting your personal data and being transparent about how we use it.

This Privacy Policy explains how we collect, use, store, and protect personal data when you interact with us, our website, or our services.

1. Who we are

  • Legal entity: Step Exchange Ltd
  • Registered address: StepEx, Complete HQ, 2 Bridge Court, Kingsmill Road, Saltash, Cornwall, United Kingdom, PL12 6LS
  • ICO registration number: ZA348090
  • Privacy contact: info@stepex.co

We are the data controller for the purposes of UK data protection law.

2. The personal data we collect

Depending on how you interact with us, we may collect:

  • Contact information (e.g. name, email address, phone number)
  • Financial information (e.g. income information, repayment history)
  • Bank transaction data, where you choose to provide access via Open Banking
  • Credit reference data obtained from credit reference agencies
  • Identity and verification data (e.g. date of birth and identity checks where required)
  • Technical data (e.g. IP address, device and browser information)
  • Usage data (e.g. how you use our website or services)
  • Communications (e.g. emails or messages you send us)

We only collect personal data that is relevant and necessary for the purposes described below.

3. How we use your personal data

We use personal data to:

  • provide and administer our services
  • assess eligibility and affordability for education finance
  • meet legal and regulatory obligations (including anti-money laundering and fraud prevention)
  • manage customer relationships and support enquiries
  • improve our products, services, and risk models
  • operate, secure, and improve our website

4. Legal basis for processing

We process personal data where we have a lawful basis to do so, including:

  • Contract: Processing is necessary to perform a contract with you or take steps at your request before entering into a contract.
  • Legal obligation: Processing is necessary to comply with legal or regulatory requirements.
  • Legitimate interests: Processing is necessary for our legitimate interests (or those of a third party), provided your rights do not override those interests.
  • Consent: Where you have given consent for specific processing activities.

5. Your rights

Under UK data protection law, you have rights including:

  • The right to access your personal data
  • The right to rectification of inaccurate data
  • The right to erasure in certain circumstances
  • The right to restrict processing
  • The right to data portability
  • The right to object to processing

To exercise any of these rights, please contact us at info@stepex.co.

6. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at:

Email: info@stepex.co
Address: StepEx, Complete HQ, 2 Bridge Court, Kingsmill Road, Saltash, Cornwall, United Kingdom, PL12 6LS

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed.