Most of the help we give is given the easy way: you phone, we look at your record on our screen, we walk you through what to do on yours. Now and then, though, it is faster and clearer for us to act on your account ourselves while you are watching — to see exactly what you see, fix something, or finish a step for you. Because this involves us operating inside your account, we owe you a plain-English account of what happens, what is recorded, and what your rights are.
What “acting as you” actually means
When a support team member clicks Act as this customer on your record, our system does NOT log them in as you. Your password is never touched, no session cookie is set under your identity, and no email or text is sent in your name. Instead, the staff member remains signed in as themselves; the system simply applies a marker that says “while I am signed in as me, treat my actions as if they are happening on customer X’s portal”. A red banner stays at the top of every page for as long as the session is active, naming the customer and giving the staff member a one-click End session button. The session auto-ends after thirty minutes no matter what.
What we record
Every start and end of one of these sessions is written to two places at once: the global activity log (so management can audit all impersonation events across the company), and your own customer audit log, which is visible to staff reviewing your record. The same audit log also captures every login, every logout, every profile edit, every payment, every e-sign, and every uploaded document — yours or ours. There is no “off the record” mode. If a support agent acted on your behalf, the audit log will show it, with the time, the agent’s name, and what they did.
Who can do this
This is not available to every staff member by default. The director maintains an explicit allow-list of who can use the “Act as this customer” feature, and a staff member who is not on that list cannot start a session at all — the button is hidden for them and the underlying endpoint returns a permission error. We treat this as a sensitive capability, not an everyday one.
Your rights
You can ask, at any time, for a full extract of your audit log. You can also revoke any consent for support to act on your account by saying so on a call or in a message; we will record the revocation in the same audit log and stop the practice for you. You can request, under UK GDPR, the names of the staff members who have acted on your account; we will provide them. We use “acting as you” only to help, never to make decisions about you that you have not requested — anything that changes your loan, your terms, or your contact details is captured as a separate, signed action.
Why we built it this way
The alternative — staff members logging into customer accounts using a shared trick or by asking customers for their passwords — is how organisations end up with messy audit trails and avoidable security incidents. Putting it on the record, with a visible banner and a thirty-minute timer, removes the temptation to do it the wrong way. We would rather be visible about how we help than have help quietly become opaque.
