Last updated: March 2026
We’re SCAMFISH Limited and we operate under the name SCAMFISH. We specialise in Claims Management Services.
We’re regulated by the Financial Conduct Authority under FRN 937096 and our data protection registration number with the Information Commissioners Office is A8986071.
This notice explains how and why we use your personal data when you contact us to potentially start a claim (you’re a Potential Client), or contract for our Claims Management Services (you’re a Client).
Have a question about something in this notice, or want to contact our Data Protection Officer? Complete a contact us form and highlight it for the attention of the DPO.
For the purposes of data processing we refer to you as either a Potential Client or a Client depending on your relationship with us. So that you can navigate your way through the policy easily, we’ve split it into three sections:
Throughout this policy, we refer to your personal information as your data.
When you provide your data to us, you consent to us using your personal information to:
When you’ve contacted us about your claim, in order to move forward we need you to provide your full name, postal address, telephone number and email address. We’re likely to also need information about your case, such as the events that took place as well as the amount that you lost.
Once we receive this information we’ll use your data to email you a Welcome Pack that includes full information about our services for you to sign. If you don’t want to provide this information or sign our contract contained in the welcome pack, then we won't be able to offer our Claims Management Services to you.
We’ll keep your contact details following an enquiry for a maximum period of three years. During this time we may contact you using the contact details you provided in order to offer you our Claims Management Services. We’ll reach out using the contact methods you’ve selected which could include:
We’ll take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We’ll store all the personal information you provide on our secure servers that are subject to strict security requirements.
You can withdraw your consent to us contacting you through any medium at any time. You can do so verbally via telephone or in writing via email, live chat or through the post using our contact details.
When you’ve contracted with us, we need you to hold your full name, postal address, telephone number and postal address. We need to hold details about your case, such as the events that took place as well as the amount that you lost.
In the process of working your claim, we speak to the banks / lenders relevant to your claim and potentially the Consumer Financial Protection Bureau (CFPB). During this process, we may obtain and store other personal data, such as bank account details or finance agreements relevant to the claim and complaint reference numbers. If you don’t want us to process this information then we won't be able to offer our Claims Management Services to you.
While using our Claims Management Services, you agree for us to process your personal information through signing our Letter of Authority which means you agree to our Terms & Conditions, allowing us to:
Once you’ve entered into a contract with us, we’ll keep your data for as long as necessary to fulfil the purpose it was collected for (our Claims Management Services). We’ll normally keep your data for 6 years starting from the date of the conclusion of your last contract. After this time has expired we’ll delete the information or anonymise it so that it can’t be linked to you.
The retention of your data enables us to provide our Claims Management Services to you, and fulfil our legal obligations including our accounting requirements and our regulatory obligations, such as complaint handling.
We’ll take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We’ll store all the personal information you provide on our secure servers that are subject to strict security requirements.
You’re able to opt-out of contact at any time letting us know via telephone, email, SMS or post. While under contract, you’re unable to withdraw consent for postal communications, as we require this method of contact to fulfil our regulatory obligations.
You’re able to withdraw consent verbally via telephone or in writing via email or post using the contact details listed in this policy and on our website.
We use marketing to let you know about our services offered as well as any other services which may be of interest to you, including developments that could have an impact on the original service you engaged with us on, new claim areas, and/or similar services.
Should you no longer wish to receive information about similar products and services, you can always object to receiving marketing communications from us and we’ll stop processing your data for marketing purposes. You’re able to withdraw your consent verbally via telephone or in writing via email or post using the contact details at the start of this policy.
We may use your personal information, including information about how you interact with communications we send to make decisions about what services we think you may be interested in and tailor our marketing communications to you. This is called profiling for marketing purposes. We believe we have a legitimate interest to do this and that it is not against your rights. However, if you don’t want us to use your personal information in this way you have a right to object to this and can let us know using the contact details at the start of this policy.
We’ll only collect information that we genuinely need to meet or perform the legal or contractual obligations necessary to provide you with our services, where we have a legitimate interest to do so, or where we have your permission (your consent). This will likely include the collection of:
We control the use of your data in line with this policy and we don't sell your data to third parties in any circumstances.
So that we can effectively provide our Claims Management Services to you, we’ll share your data with third parties relevant to your claims that provide critical functions in accordance with strict data security arrangements:
We’ve carefully selected our third parties due to their commitment to keeping your data safe. If you request for us to stop processing your data, we’ll also communicate this to the relevant third parties if they’re processing this on our behalf. If you have any concerns about the above third parties, please let us know and we can provide advice and support to help you manage your data preferences.
As a data controller, if you request the rectification, erasure or restriction of your data, we’ll also communicate this to any third party who your data has been disclosed to.
In exercising any of your rights, we’ll take action within one month. However, should the request be complex we can extend this by a further two months. We’ll inform you of this in this event. We’ll need to confirm your identity before completing any action on your behalf, and reserve the right to not complete action until we are satisfied that you are making the request. If we cannot complete your request, we’ll inform you within one month and explain why.
You can access your data at any time by submitting a Subject Access Request (SAR). We’ll confirm what data is being processed and provide you with a copy of your data in addition to confirming your data rights for free. However, if you make repetitive requests, we’ll charge an administrative fee of $10.
You can make this request using reasonable means, including by telephone, post or email. If you make the request by email, we’ll provide your information in a commonly used electronic format unless you instruct us otherwise.
You can amend any inaccurate data that we hold by notifying us by telephone, post or email, or during the course of the provision of our services. We’ll make the amendment as soon as possible. If any data held is incomplete, you can complete this at any time. We may require this to be completed to allow us to provide our Claims Management Services.
At your request we can erase or “forget” your data in the following situations:
You can make this request using reasonable means including by telephone, post or email. If you request for your data to be erased, we’ll confirm whether this can take place and the next steps that we’ll take. If we cannot erase your data, we’ll explain why and confirm any actions required to allow us to do so.
At your request you can restrict us from processing your data in the following situations:
If you make a restriction request, we’ll still store a copy of your data but cannot use this. We’ll inform you if the restriction needs to be lifted. You can make this request using reasonable means including by telephone, post or email. If you request for your data to be restricted, we’ll confirm whether this can take place and the next steps that we’ll take. If we cannot restrict your data, we’ll explain why and confirm any actions required to allow us to do so.
You can object to the processing of your data at any time. If you object, we’ll no longer process your data unless we have a compelling and legitimate reason not to do so. In this case, you’ll be informed why we can’t stop processing your data. In the event that you do this while we are providing Claims Management Services to you, it is possible that we won’t be able to continue with your claim. If this is the case our fee may still be applicable at a later date.
You can always object to receiving marketing from us and we’ll stop processing your data for marketing purposes at any time.
You also have the right to object to us using information about you and how you interact with our services to tailor our communications to you.
You can exercise your right to object to the processing of your data using the contact details at the start of this policy.
We can provide your data in a commonly used electronic format at your request. We can also transfer this to another entity or person where we’re processing your data with your consent or in accordance with a contract. This only applies to information processed by automated means.
We have regulatory requirements and other legal requirements that may require us to use your data. This includes things such as complaint handling and financial record keeping. In these circumstances we may be required to keep your data by law and we’ll inform you if this is the case.
Our cookie policy can be found here.
A cookie consists of information sent by a web server to a web server and is stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web server.
We may disclose information about you to any of our employees, officers, agents, suppliers or subcontractors insofar as reasonably necessary for the purposes as set out in this policy.
In addition, we may disclose information about you:
We may transfer and store the data we collect from you to organisations outside the European Economic Area (EEA). This would be where we have your consent, to comply with a legal duty or where we work with a third party to provide you with our Claims Management Services and they process information outside the EEA.
Where we do this, we’ll make sure that your data is protected to the same extent as in the EEA.
This policy references other websites. We’re not responsible for the privacy policies or practices of third party websites.
If you have a complaint about how we use your personal information, you can contact us via telephone, through live chat on our website or by filling in a contact us form on our website and we’ll do our best to fix the problem. This is also how you can also reach our Data Protection Officer.
If you’re still not happy with our response, you can refer your complaint with a data protection supervisory authority in the EU country where you live or work, or where you think a breach has happened. The US’s supervisory authority is the Information Commissioner’s Office (ICO). For more details, you can visit their website at ico.org.US.
We’ll post any changes to this privacy policy on this page and if they’re significant we’ll let you know by email.