Privacy Hub
Equifax (TDX) Debt Services Privacy Notice
This privacy notice explains how Equifax’s group company, TDX Group Limited, processes personal data to support customers with debt management and recovery.
Last updated: January 2026
You will know us as TDX but our legal name is TDX Group Limited (“TDX”, “we”, “our” and “us”). We’re committed to protecting the privacy of individuals whose personal data we are processing.
This Equifax (TDX) Debt Services Privacy Notice (“Notice”) describes how and why TDX uses personal data in relation to TDX Debt Services (“Debt Services”), which include supporting our customers with:
- managed debt recovery;
- insolvency management; and
- debt sale.
TDX operates a fully managed debt recovery service, designed for large creditor (lender) customers across financial services, retail, energy, water, telco and media sectors, as well as local and central government. We provide solutions to optimise the recovery of money owed, while improving the end consumers’ outcomes and experiences. TDX is regulated by the Financial Conduct Authority (“FCA”) and is authorised to conduct debt collection.
You should read this Notice to understand what we are doing with your personal data in relation to Debt Services, the basis on which we undertake such use, who we share your data with and your rights in relation to your personal data.
TDX is a Data Controller (“Controller”) of your personal data, which means that we make decisions about how and why we process it. As a Controller, we’re responsible for making sure that it’s processed in accordance with data protection law. In some circumstances, we operate solely as a Data Processor (“Processor”) of your personal data. This means we have been directed by a separate independent Controller (e.g. a public sector authority or an insolvency manager) to help recover debt on its behalf.
TDX is part of the Equifax group of companies. Via the Equifax Privacy Hub, Equifax makes available other privacy notices which relate to specific Equifax products or services, or other Equifax group companies. These apply in conjunction with this Notice so please ensure that you read every relevant notice. Our privacy notices include:
Privacy Notice | Processing Activities |
Equifax Credit Reference and Related Services Privacy Notice | This privacy notice explains how Equifax processes personal data as part of its core credit reference agency (CRA) activities. These processing activities often relate to personal data that has not been collected directly from the individual. |
This privacy notice explains how Equifax processes personal data relating to its myEquifax products and services (e.g. Credit Report and Score, WebDetect and Social Scan) and users of the Equifax website. These processing activities usually relate to personal data that has been collected directly from the individual or from the individual’s direct use of myEquifax products and services, as well as the Equifax website. | |
This privacy notice, produced with Experian and Transunion (the other key CRAs), explains how personal data is processed for core credit referencing activities. This often relates to personal data that has not been collected directly from the individual. | |
Equifax (TDX) Debt Services Privacy Notice (THIS NOTICE) | This privacy notice explains how Equifax’s group company, TDX Group Limited, processes personal data to support customers with debt management and recovery. |
This privacy notice explains how Equifax’s group company, Consents Online Limited, processes personal data to provide customers with access to consumer transaction data held within payment accounts. This is known as open banking. | |
This privacy notice describes how and why Equifax processes personal data to administer our Workforce Solutions database and related services, for example to quickly and reliably approve applications for housing, jobs, credit and benefits. |
We understand that TDX’s processing activities are complex and that the language used in relation to our activities is sometimes difficult to understand. We have tried to explain things as simply as possible throughout this Notice, however to assist further we have put together a Privacy Glossary which provides more information about some of the terms used throughout this Notice. Whenever you see a word highlighted like this, you can click through to our Privacy Glossary to learn more.
CONTENT:
- How can you contact us?
- How do we use your personal data?
- What types of personal data do we use, and where do we get it?
- What is our lawful basis for using your personal data?
- What do we do with your personal data and why?
- Where in the world is your personal data processed?
- How do we safeguard your personal data?
- How long do we keep your personal data?
- What are your rights in relation to your personal data?
- Who can I complain to if I'm unhappy about the use of my personal data?
- Changes to this notice.
1. HOW CAN YOU CONTACT US?
You can contact us by:
- Post: TDX Group Ltd, 5th Floor, EastWest, Tollhouse Hill, Nottingham, NG1 5FS
- Website: www.tdxgroup.com
- Email: info@tdxgroup.com
- Phone: 0115 953 1200
TDX has a dedicated Data Protection Officer (DPO) who can be contacted by:
- Email: info@tdxgroup.com
2. HOW DO WE USE YOUR PERSONAL DATA?
We process your personal data for particular purposes in connection with:
- Managed debt recovery
- Insolvency management
- Debt sale
- Any other engagements you may have with us
- The management and administration of our business
3. WHAT TYPES OF PERSONAL DATA DO WE COLLECT, AND WHERE DO WE GET IT FROM?
To enable us to operate our business it is necessary for us to collect and store personal data about you. We typically do not have a direct relationship with you, so we obtain this data from other sources, as outlined below.
DEBT MANAGEMENT AND RECOVERY
CATEGORY OF DATA | TYPE OF PERSONAL DATA | COLLECTED FROM |
Debt account data | Information from creation of credit accounts or other financial accounts e.g. utility bills and telecom bills:
|
|
Credit Reference Agency (CRA) data | Information we obtain from CRAsto assist in the recovery management process:
For more information see the Credit Reference Agency Information Notice (CRAIN) (SECTION 2 (d) and 3) |
|
Data from other data providers | Information we obtain from other data providers to assist in the recovery management process. Examples may include:
|
|
INSOLVENCY MANAGEMENT
CATEGORY OF DATA | TYPE OF PERSONAL DATA | COLLECTED FROM |
Individual voluntary arrangement (IVA) data | Information included in the IVA:
|
|
Debt account verification data | Information related to the debt referenced in the IVA:
|
|
Data from other data providers | Information to assist in the insolvency management process:
|
|
DEBT SALE
CATEGORY OF DATA | TYPE OF PERSONAL DATA | COLLECTED FROM |
Debt account data | Information from creation of credit accounts or other financial accounts, e.g. utility bills and telecom bills:
|
|
Credit Reference Agency (CRA) data | Information to assist in the debt sale process:
See the Credit Reference Agency Information Notice (CRAIN) (SECTION 2 (d) and 3) |
|
Data from other data providers | Information we obtain from other data providers to assist in the Debt Sale process. Examples may include:
|
|
INTERNAL BUSINESS-TO-BUSINESS (B2B) ACTIVITIES
Equifax may use your personal data in a professional capacity (e.g.your name, work email address and job title) for internal B2B marketing and support activities.
4. WHAT IS OUR LAWFUL BASIS FOR USING YOUR PERSONAL DATA?
We are required by data protection law to always have a “lawful basis” (i.e. a reason or justification) for processing your personal data. There are a number of lawful bases set out in data protection law, but TDX considers the following to be the most relevant lawful bases that we rely on:
- The processing is necessary for the purposes of legitimate interests pursued by us or a third party, and these are not overridden by your interests or fundamental rights (“Legitimate Interests”)
- The processing is necessary to comply with a legal obligation (“Legal Obligation”)
- The processing is on the basis of your consent (“Consent”)
The table below sets out the purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.
PURPOSE OF PROCESSING | CONSENT | LEGAL OBLIGATION | LEGITIMATE INTERESTS |
Debt recovery management TDX helps place and manage any debt owed, through a debt collection agency (DCA) network. TDX uses various data sets (explained in SECTION 3) to understand a consumer's financial position and to support any future repayment plans. | ✔ Supporting debtor tracing and debt collections | ||
Insolvency management TDX provides a service to creditor customers, managing all aspects of personal insolvencies, including bankruptcies and trust deeds, as well as individual voluntary arrangements (IVAs) including a full payment management service. | ✔ Supporting insolvency management | ||
Debt sale TDX provides an asset sale brokerage service to help creditor customers use the right data, processes and oversight to help the sale of debt portfolios. | ✔ Supporting the commercial acquisition process of debt purchase | ||
Data loading, matching and linking Data supplied to TDX is checked for integrity, validity, consistency, quality and age to help make sure it’s fit for purpose. These checks pick up things like irregular dates of birth, names, addresses, account start and default dates, and gaps in status history. Data supplied to TDX is matched to existing databases to help make sure it’s assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. Where permitted, TDX uses the personal data individuals have provided to its customers, together with data from other sources to create and confirm identities, which are used to underpin the services TDX provides. As TDX compiles data into its databases, links are created between different pieces of data. For example, individuals who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address. | ✔ We have a regulatory responsibility to ensure that data is accurate | ||
Data may be used to help support the development and testing of new products and technologies. | ✔ | ||
Using your contact information to respond to your enquiries and/or complaints | ✔ (it is in our mutual interests to respond) | ||
Using any relevant personal data to establish and enforce our legal rights, or to comply with a court order, law enforcement requirement (or other legally mandated request), or legal obligation | ✔ | ||
Using any relevant personal data required to hold, or share, your personal data in compliance with FCAregulations and permissions | ✔ | ||
Using any relevant personal data in relation to the managing the proposed or actual sale, restructuring, or merging of any or all part(s) of our business | ✔ | ✔ (we have a legitimate interest in being able to sell or restructure our business and maintain continuity for us, or a buyer) | |
Through our internal business-to-business marketing and support activities, we may communicate with you, where you have consented for us to do so, using the information you provide to us through this website, by sending you bulletins, updates and invites which may be relevant and useful to you. You have the opportunity to opt-in and opt-out of these communications. Please see ‘SECTION 9. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA’ below. | ✔ (where consent is legally required) |
We may also convert your personal data into statistical or aggregated form to better protect your privacy, or anonymise the data so that you are not identified or identifiable. Anonymiseddata is not personal data and we may use such data to conduct research and analysis, including to produce statistical research and reports (e.g. to help us understand and improve our products and services).
5. WHO DO WE SHARE PERSONAL DATA WITH AND WHY?
TDX may share your personal data with:
- its affiliates, i.e. companies that control, are controlled by, or under common control with TDX; and
- selected third parties that we work with.
These recipients within and outside our group may be processing your personal data on our behalf as a service provider (see below) or they may be processing it for their own purposes as a Controller.
We have summarised the categories of recipients with whom we are likely to share your personal data:
- Credit Reference Agencies (CRAs) and other data providers: TDX shares debt account information with CRAs and other data providers to validate and append additional information related to an individual’s debt account.
- Creditor customers (lenders): TDX works with creditors to validate outstanding debt, and to ensure the debt amount owed is correct.
- Insolvency practitioners and trustees: TDX receives requests from insolvency practitioners and trustees to assist consumers in managing debt. Through your authorisation, TDX works with these entities to help consumers manage their debt.
- Debt purchasers: TDX helps customers understand how to best manage debt portfolios and facilitates the sale of these portfolios (as previously described).
- Public bodies, law enforcement and regulators: The police and other law enforcement agencies, as well as public bodies like local and central authorities and TDX’s regulators, can sometimes request us to supply them with personal data. This can be for a range of purposes such as preventing or detecting crime, fraud, apprehending or prosecuting offenders, assessing or collecting tax, investigating complaints or assessing how well a particular industry sector is working.
- Processors: TDX uses other organisations to perform tasks on its behalf (e.g. IT service providers and call centre providers). Many of these services are provided by companies within the Equifax group of companies, of which TDX is a part. Examples of other Processors not in the Equifax group include:
- Debt collection agencies (DCAs): TDX works with other DCAs (known as a panel) to engage consumers and facilitate the repayment of debt on behalf of our creditor customers (lenders).
TDX uses other trusted organisations to perform tasks on its behalf. The following shows the countries of operation for listed services:
SERVICE CATEGORY | COUNTRY(S) OF OPERATION (See SECTION 6 for more information on TDX’s overseas processing) |
IT infrastructure and operations software support | UK & India |
IT back office business process software support | India |
IT back office helpdesk service support | India |
IT service management support | US |
Telephone support services | UK |
Printing and mailing house services | UK |
Marketing communication services | UK |
Confidential waste services | UK |
The following services are provided by companies within the Equifax group of companies:
DESCRIPTION OF SERVICE | COUNTRY OF OPERATION (See SECTION 6 for more information on TDX’s overseas processing) |
Administrative support, IT and security back office software support, software development and cloud disaster recovery | US (Equifax Inc.) |
In addition to the above, the Equifax group of companies has service arrangements in place with auditors, consulting and professional service providers.
Individuals
People are entitled to obtain copies of the personal data TDX holds about them. You can find out how to do this in SECTION 9 below.
6. WHERE IS YOUR PERSONAL DATA STORED AND SENT?
TDX Group Limited is a UK-based company, and the majority of our processing of your personal data takes place in the UK. All information and personal data processed by TDX is stored on encrypted services at secure physical locations (whether these be our own servers or those of cloud service providers that we use; Google data centres based in the UK with backups in the EU). TDX has internal policies and controls in place to keep personal data secure and minimise the risk of it being lost, misused, disclosed or accidentally destroyed.
TDX Group Limited is part of a global group of companies, therefore your personal data may be transferred to other group members outside of the UK and/or the European Economic Area (EEA). In addition, some of our service providers may have processing operations in other jurisdictions. Details of the main Processors TDX uses and where they operate can be found above in SECTION 5.
While data protection law in some jurisdictions may not provide the same level of protection to your personal data as it is provided under UK data protection law, Equifax takes steps to ensure the appropriate protections are in place before knowingly transferring personal data outside of the UK/EEA. To do this :
- TDX ensures third parties have entered into contractual duties of confidentiality
- third parties are obliged to implement appropriate technical and organisational measures to ensure the security of personal data
- TDX puts in place contracts with recipients containing mandatory terms approved by the European Commission which provide a suitable level of protection for personal data. These are commonly referred to as Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs)
Where TDX Group Limited is transferring personal data to group company Equifax Inc. and its U.S. subsidiary Kount Inc. (together, "Equifax US"), Equifax US complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Please see the Equifax Inc. Privacy Statement (SECTION EU-U.S. and the UK Extension to the EU-U.S. Data Privacy Frameworks) for more detailed information about Equifax’s certification to the Data Privacy Framework (DPF) program and what this means. To learn more about the DPF program, and to view the Equifax certification, please visit the DPF’s website here.
7. HOW DO WE SAFEGUARD YOUR PERSONAL DATA?
Equifax is committed to protecting the security of your personal data. We implement appropriate technical and organisational measures, taking into account the nature, scope, context and purposes for processing, as well as the likelihood and severity of risks to your rights and freedoms.
8. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We retain your personal data for strictly limited periods of time and for no longer than is necessary to fulfil the purposes for which we are processing it. For example, we typically retain personal data relating to our customers’ consumers (i.e. individuals with debt) for as long as our customers receive our services, and for a period of up to 6 years following closure of a debt account.
In some cases, it may be necessary for us to retain your personal data for different periods. The factors that direct how long we retain personal data for include the following:
- any laws or regulations that we are required to follow;
- whether we are in a legal or other type of dispute with each other or any third party
- the type of information held about you; and
- whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.
For more information regarding our retention periods, please contact us.
Archived data
TDX holds data in an archived form for longer than the periods described above, for things like research and development, analytics and analysis (including refining lending and fraud strategies, scorecard development and other analysis, such as loss forecasting), for audit purposes, and for the establishment, exercise or defence of legal claims. The criteria used to decide the appropriate storage period will include the legal limitation of liability period, agreed contractual terms, regulatory requirements and industry standards.
9. WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?
In certain circumstances, data protection law provides you with a number of rights in relation to your personal data. You can exercise your rights by contacting us using the details in SECTION 1.
Your rights include:
- The right of access. This is also known as a data subject access request (DSAR) and allows you to receive copies of your personal data and be provided with certain information in relation to it, such as the purpose for processing.
- The right to rectification, which requires us to correct inaccuracies in your personal data. Please see SECTION 9.2 below for more information.
- The right to erasure. This is also known as the right to be forgotten, and allows you to request that we erase your personal data. This right only applies in certain circumstances.
- The right to restrict processing, which requires us to restrict the processing of your personal data in certain circumstances;
- The right to data portability. This allows you to receive the personal data that you have provided to us in a machine readable format, where we are processing it on the basis of consent or have entered into a contract with you and the processing is automated.
- The right to object. In certain circumstances you can object to our processing of your personal data, such as for direct marketing purposes.
- The right not to be subject to automated decision-making, which allows you to raise queries, concerns and request a human review in relation to any decision made solely on the automated processing of your personal data.
- The right to lodge a complaint with the Information Commissioner’s Office (ICO). See SECTION 9 for more information.
9.1 WHAT CAN I DO IF I WANT TO SEE MY PERSONAL DATA HELD BY TDX?
You have a right to find out what personal data TDX holds about you and for a copy of this information to be provided to you free of charge. This is known as a data subject access request (DSAR). When you request a copy of your personal data and we are processing it on behalf of a customer (the Controller), we will identify the customer and forward the request to them on your behalf.
To submit a DSAR in relation to the personal data that we are processing as a Controller, please contact us at DSAR@tdxgroup.com.
If you require a copy of your personal data in a format such as paper, braille or audio, please contact us using the details in SECTION 1.
9.2 WHAT CAN I DO IF I THINK MY PERSONAL DATA IS WRONG?
We want to make sure that your personal data is accurate and up-to-date, however much of the personal data we hold about you is received from third parties, such as data suppliers, e.g. lenders, and CRAs. If you think that TDX is processing inaccurate or incomplete personal data about you, you are able to challenge it. This is known as the right to rectification.
However, we are not able to automatically amend this information. When acting as a Controller, we are required to follow a set process of informing the relevant data supplier and seeking their confirmation as to the accuracy of the data. When acting as a Processor, TDX isn’t able to change the data without permission from the organisation that supplied it, so we will again need to follow a set process and take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.
9.3 CAN I OBJECT TO TDX’S USE OF MY PERSONAL DATA AND HAVE IT DELETED OR RESTRICTED?
Under the UK’s data protection law, you have the right to object to your personal data being processed, and to request that the processing is either restricted or the data is deleted. However, please be aware that the right to object, the right to restrict processing and the right to erasure are not ‘absolute rights’, which means that they only apply in certain circumstances.
Right to object
The right to object applies in the following circumstances:
- Where the processing is based on a legitimate interest or a public interest (see SECTION 4 on lawful bases). However, we are able to continue processing your data if there are ‘overriding legitimate grounds’ (see SECTION ‘Overriding legitimate grounds’ below)
- Where personal data is processed for direct marketing purposes. This is an absolute right, meaning that if you object to us processing your personal data for direct marketing purposes, we will stop that processing. Please note that we may retain a record of your objection and other information to ensure that your personal data is no longer used for direct marketing purposes
Right to restrict processing
The right to restrict processing applies in the following circumstances:
- Where you have raised a concern about the accuracy of your data, we will restrict processing it for a period of time while we verify its accuracy
- Where the processing of your personal data is unlawful but you would prefer that the data is not deleted and would instead like us to simply not use it
- Where it is no longer necessary for us to process the personal data but you would like us to retain it rather than delete it, so that you can use it for the establishment, exercise or defence of a legal claim
- Where you have objected to the processing of your personal data and are waiting for confirmation of any overriding legitimate grounds that we may have to continue processing it
Right to erasure
The right to erasure applies in the following circumstances:
- Where the personal data is no longer required for the purpose it was collected for
- Where you have revoked your previously given consent for the processing of your personal data and there are no other appropriate lawful bases to continue processing it
- Where your personal data is processed for direct marketing but you have now objected to such use
- Where your personal data is being processed unlawfully or UK law requires us to erase the personal data to comply with a legal obligation
- Where the processing of your personal data is on the basis of a legitimate interest or is in the public interest, you have objected to this processing and there are no overriding legitimate grounds to continue processing it
Where TDX is acting as a Controller, you have the right to object or submit a restriction or erasure request in relation to the processing of your personal data. However, it is likely that overriding legitimate grounds for TDX to continue processing your data will exist despite your request. This is because of the importance of debt recovery, debt sale, and insolvency activity to the UK’s financial system. In many cases, it wouldn’t be appropriate for TDX to restrict, stop processing or delete your personal data, e.g. hiding an individual’s debt profile would reduce the likelihood of a legitimate debt being paid.
Debt recovery management and debt sale
TDX processes personal data for debt recovery management and debt sale under the legitimate interests ground for processing. We do not require your consent for this processing.
Business-to-business (B2B) marketing activities
You can opt-out of receiving direct marketing at any time by either contacting us using the details above, or following the instructions within each marketing communication.
9.4 DO I HAVE A ‘PORTABILITY RIGHT’ IN CONNECTION WITH MY TDX DATA?
In certain circumstances, data protection law allows a right to data portability, which means that individuals can receive their personal data in a portable format when it’s processed under certain lawful bases, such as consent. This right does not apply to TDX data that is processed on the grounds of legitimate interests (see SECTION 4 on lawful bases).
9.5 DOES TDX MAKE DECISIONS ABOUT ME OR PROFILE ME?
Scores and profiling
TDX uses automated scoring and profiling to better understand you as a consumer, your circumstances, and your financial position, including what might impact your ability to pay off debt.
Scoring and profiling is based on a multitude of factors including your payment history, location, any barriers to debt repayment, and reason(s) why your account is in default.
Debt collecting decisions
In relation to scoring and profiling, automated decisions will be made (after consultation with our customers about appropriate debt collection strategies) regarding how best to engage with you. These decisions inform which DCA would be the best fit for you, if any, based on your current situation. We also consider the best method of communication with you, what type of contact should be made, and how frequently.
10. WHO CAN I COMPLAIN TO IF I’M UNHAPPY ABOUT THE USE OF MY PERSONAL DATA?
You have the right to lodge a complaint with the UK’s data protection regulator, the Information Commissioner’s Office (ICO), if you are unhappy about how we have processed your personal data. More information can be found on the ICO’s website here, however we would really appreciate the chance to deal with your concerns before you approach the ICO and so we ask that you please contact us first. The contact details for TDX’s Complaints team are:
- Post: Complaints, TDX Group Limited, Service Assurance Team, First Floor, 6 Wellington Place, Leeds, LS1 4AP
- Website: www.tdxgroup.com
- Email: consumercomplaints@tdxgroup.com
- Phone: 0115 953 1200
11. CHANGES TO THIS PRIVACY NOTICE
TDX may make changes to this Notice in the future. The revised notice and its effective date will be published on this website.