Business Loans
iwocapay
Resources
About

Customer Privacy Policy

Customer Privacy Policy

Title goes here or hide

Welcome to iwoca’s privacy notice.

1. Introducing iwoca

We put our Customers at the heart of what we do and strive to build long-lasting relationships based on transparency and trust. As a company that values your privacy, we are dedicated to safeguarding your personal data. This privacy notice details the ways in which we achieve that commitment.

Personal data we collect from or about you will be held by iwoca Ltd, which is part of the iwoca group. The iwoca group is made up of our main legal entity in the UK – iwoca Ltd; and other legal entities that are under the control of or in common control with iwoca Ltd, (referred to as “iwoca Group Entities”); Collectively iwoca Ltd and the “iwoca Group Entities" will be referred to as “iwoca”, “we” or “us” throughout this policy. More information about iwoca can be found on Our Website.

iwoca Ltd is registered with the Information Commissioner’s Office (registration no. Z3007540) and we’re also registered with the Financial Conduct Authority (FCA) under the Payment Services Regulations 2017 for the provision of payment services (reference number: 791804). 

We provide the “iwoca Products and Services” which are all the products, services and information offered via our website, our customer account pages accessed via your login, and our mobile web app (“Our Website”) and also through our iOS and Android mobile applications available for download on the App Store and on Google Play (“Our App”). Our Website and Our App, together form “the iwoca Platform”. See the below table for the list of iwoca products and services available through the iwoca Platform.

iwoca is your Data Controller

When you use iwoca Products and Services on the iwoca Platform, iwoca will collect, process and use personal data about you.

iwoca will be the Data Controller of this personal data, which means we are responsible for ensuring your data is handled in compliance with the applicable laws on the protection of personal data, privacy and electronic communications in the UK, including but not limited to The Data Protection Act 2018 (the “DPA 2018”), the United Kingdom General Data Protection Regulation (the “UK GDPR”), The Privacy and Electronic Communications Regulations (“PECR”) and the Data (Use and Access) Act 2025.

iwoca will also be the Data Controller for any personal data about third parties we have received from our customers, which may include other business directors, shareholders, any individuals authorised by our customers to discuss their iwoca account, and customers of their business.

2. How we use your personal data

We process your personal data for various purposes, including meeting our legal obligations, managing and improving our business, establishing, exercising, or defending legal claims, and providing our products and services. To protect ourselves and our customers, we also use this data to identify, investigate, report, and prevent fraudulent activity.

Below is a summary of the types of personal data we collect and use along with the lawful basis under the UK GDPR on which we will do so.

Type of data Description of data The Purpose(s) for processing your data Lawful basis
Contact Data Your name, addresses, e-mail addresses, phone numbers and other ways in which to contact you such as WhatsApp. Managing our relationship with and delivering the iwoca Products and Services to you and your business.

Developing and testing new and existing Products or Services and carrying out marketing or business development activities.		 Fulfilling our contract with you.

When it is in our legitimate interests.
Marketing data Your name, Contact Data, nationality, date of birth, business information. Identifying who would be interested in receiving our marketing and using our products and services.

Managing our marketing suppression list to ensure that we do not send you any more marketing when you have asked us not to.		 When it is in our legitimate interests.
Credit Reference Agency Data Your personal and business credit file data which includes anyone financially associated with you. Conducting a creditworthiness assessment on you and your business, which includes:
  • Assessing your eligibility for products and services, which includes pre approvals.
  • Ensuring any offers we provide are appropriate to you and your business' circumstances.
Tracing, collecting and recovering money that is owed to us.

Complying with laws and regulations that require us to verify your and other individuals' identity.

Proactively offering pre-approval on our credit products once you have repaid a third of your balance and are eligible for a top-up or made your final repayment or cleared your outstanding balance, or where deemed compatible with the original purpose.

Improving our credit risk models and subsequent credit decisions so that we make more accurate risk assessments, and support fairer and more tailored outcomes.		 Fulfilling our contract with you.

When it is our legal obligation.

When it is in our legitimate interests.
Fraud and Financial Crime Prevention Data shared with and collected from fraud prevention agencies, such as CIFAS. Identifying, investigating, reporting and preventing fraud, money laundering and financial other crime.

Complying with laws and regulations that require us to verify your and other individuals' identity.

Developing and improving how we deal with financial crime as well as discharging our related legal obligations.		 When it is our legal obligation.

When it is in our legitimate interests.
Transactional and banking data Payments to and from your iwoca account.

Details about transactions carried out on your businesses bank accounts.

Details about transactions carried out on your iwoca Credit Card.

Your business bank account sort code and account number.		 Conducting a creditworthiness assessment on you and your business, which includes:
  • Assessing your eligibility for products and services, which includes pre approvals.
  • Ensuring any offers we provide are appropriate to you and your business' circumstances.
Managing our relationship with and delivering the iwoca Products and Services to you and your business.

Tracing, collecting and recovering money that is owed to us.

Identifying, investigating, reporting and preventing fraud, money laundering and financial other crime.

Developing and improving how we deal with financial crime as well as discharging our related legal obligations.

Proactively offering pre-approval on our credit products once you have repaid a third of your balance and are eligible for a top-up or made your final repayment or cleared your outstanding balance, or where deemed compatible with the original purpose. 		Fulfilling our contract with you.

When it is our legal obligation.

When it is in our legitimate interests.
Location Data Information about your location, which may come indirectly from your device's IP address, geolocation or from post codes.

It may also include locations where you have used your iwoca Credit Card.		 Managing our relationship with and delivering the iwoca Products and Services to you and your business.

Identifying, investigating, reporting and preventing fraud, security breaches, money laundering and other financial crime.

Developing and improving how we deal with financial crime as well as discharging our related legal obligations.

Developing and carrying out marketing or business development activities.		 Fulfilling our contract with you.

When it is our legal obligation.

When it is in our legitimate interest.
Behavioural Data Details about how you use products and services offered on the iwoca Platform including clicks and taps, time spent on pages, video recordings of platform usage, time and date of usage of our Products and Services. Analysing how our customers and others use Products and Services and the iwoca Platform to optimise and deliver a more personalised user experiences to our customers.

Developing and testing new and existing Products or Services and carrying out marketing or business development activities.

Developing and improving how we deal with financial crime as well as discharging our related legal obligations.

Identifying, investigating, reporting and preventing fraud, security breaches, money laundering and other financial crime.		 Fulfilling our contract with you.

When it is in our legitimate interests.

When it is our legal obligation.
Device, telemetry, and authentication data. Authentication details for logging into the iwoca Platform.

Details on devices and technology you use to interact with the iwoca Platform, for example your browser settings, cookie preferences, and geolocation.

Collecting technical information about whether your transaction was completed or cancelled at an iwocaPay Suppliers checkout. This includes a transaction identifier, the type of event, and the time it occurred.		 Managing our relationship with and delivering the iwoca Products and Services to you and your business.

Identifying, investigating, reporting and preventing fraud, security breaches, money laundering and other financial crime.

Developing and improving how we deal with financial crime as well as discharging our related legal obligations.

Developing and testing new and existing Products or Services and carrying out marketing or business development activities.

Monitoring the performance of our iwocaPay services.		 Fulfilling our contract with you.

When it is our legal obligation.

When it is in our legitimate interests.
Communications Any emails, calls, chats, instant messages, feedback, or other communications between you and iwoca, including file attachments you've sent or provided to us and audio recordings. This also covers the content and information we learn about you from those communications. Managing our relationship with and delivering the iwoca Products and Services to you and your business.

Investigating and responding to your enquiries, complaints and feedback, and ensuring all customers receive good and fair outcomes.

Developing and testing new and existing Products or Services and carrying out marketing or business development activities.		 Fulfilling our contract with you.

When it is our legal obligation.

When it is in our legitimate interests.
Publicly available records Data we collect about you from public sources (such as the Electoral Register, Land Registry, Companies House, Trustpilot, and LinkedIn). Verifying the accuracy of data you supply to us.

Identifying, investigating, reporting and preventing fraud, money laundering and other financial crime.

Developing and testing new and existing Products or Services and carrying out marketing or business development activities.

When deciding on whether you would be interested in receiving our marketing and using our products and services.		 Fulfilling our contract with you.

When it is our legal obligation.

When it is in our legitimate interests.
Documentary data Information about you stored in documents or copies thereof, in various formats. This includes, for example, your passport, driver's licence, bank statements and utility bills. Verifying your identity, where needed.

Complying with laws and regulations that require us to verify your and other individuals' identity.

Identifying, investigating, reporting and preventing fraud, money laundering and other crime.

Developing and improving how we deal with financial crime as well as discharging our related legal obligations.		 When it is our legal obligation.

When it is in our legitimate interests.
Contractual Guarantor and loan agreements and any other legal documentation authorised directors require to execute their responsibilities. Managing our relationship with and delivering the iwoca Products and Services to you and your business. Fulfilling our contract with you.
Permission, preferences and consent data Any permissions, consents or preferences that you give us. Complying with laws and regulations that require us to verify yours and other individuals' identity.

When you link your business bank account to iwoca through Open Banking.

So we know what your preferences are in regards to cookies and any other relevant data processing activities that you can opt-out of.

When you have given a testimonial, feedback, review of your experience with our Products and Services and agreed for us to use it for marketing purposes.

Verifying your identity, where needed.		 When it is our legal obligation.

When it is in our legitimate interests.
Special category data Biometric data (for example, photos or videos, where processed by iwoca's verification partners as biometric data).

Data relating to your physical and mental health information (such as disabilities or special health needs).		 Verifying your identity, where needed.

Ensuring all customers receive good and fair outcomes.		 When you provide explicit consent.

Reasons of substantial public interest.
Data Provided About Third Parties Any data that you or others provide us with about third-parties. This includes name, date of birth, address, and contact information.

This includes information concerning:
  • Individuals personally guaranteeing a credit product.
  • Business partners (other directors and beneficial owners within the business) who are not personally guaranteeing a credit product.
  • Individuals authorised to discuss specific information regarding your iwoca account via email or over the phone on your behalf (authorised person).
  • If you are a iwoca Credit Card customer, Business partners or employees who are authorised to hold a Credit Card.
  • If you are a iwocaPay Seller, information relating to your customers within invoices you send to iwoca and Paylinks that you create.
 Conducting a creditworthiness assessment on you and your business, which includes:
  • Assessing your eligibility for products and services, which includes pre approvals.
  • Ensuring any offers we provide are appropriate to you and your business' circumstances.
Identifying, investigating, reporting and preventing fraud, money laundering and other crime.

Complying with laws and regulations that require us to verify your and other individuals' identity.

Developing and improving how we deal with financial crime as well as discharging our related legal obligations.

Managing our relationship with and delivering the iwoca Products and Services to you, and your business.		 Fulfilling our contract with you.

When it is our legal obligation.

When it is in our legitimate interests.

3. Automated decision-making and profiling

To make quicker and consistent decisions, we conduct automated decision-making in some instances. As detailed below, this involves using technology to analyse information about you and your business to assess and predict potential risks, preferences, or outcomes. For example, we perform automated decision making in the following cases:

  • When you apply for a credit-related Products or Services:

We may use automated decision-making and profiling to determine whether to offer our Products and Services to you and your business. This allows us to make quicker lending decisions and may result in a decision without human involvement.

The process works by taking the information you provide in your application, any data we already hold about you, and information obtained from third parties (such as credit reference and fraud prevention agencies) to calculate a score. This score is used to decide whether to offer the product to you and your business.

In addition to the original lending decision, if you’re an existing borrower and we think you may be interested in borrowing additional sums, we’ll also use data about you to make an automatic decision on whether or not you’re eligible for pre-approval.

  • When we monitor activity on your iwoca account(s) to detect and prevent financial crime:

This includes assessing your transactions (payments to and from your account) to identify any that are unusual and could be related to financial crime.

  • When deciding whether to market iwoca Products and Services to you:

We may use automated decision-making and profiling to help us decide whether we want to market to existing and prospective customers. We do this to assess your eligibility and interest in other products and services that we offer.

When we make automated decisions, you can contact us to ask for a person to review it or contest the decision in certain circumstances.

4. Where we collect personal data and who we share it with

We will collect personal data about you (or your business) from any of these sources:

4.1. Information from you

This includes data you or your business gives us, as well as data from people financially linked with you or linked with your business, or from anyone authorised by you to act on your behalf in regards to your iwoca account:

  • When you apply for iwoca Products and Services (either directly or via an intermediary);
  • When you use the iwoca Platform;
  • When you talk to us on the phone;
  • In emails, web or in-app chats, WhatsApp messages and letters.
  • In surveys;
  • If you take part in our competitions or promotions;

4.2. Information collected from and shared with others

We collect and share personal data with various third parties. The summary table below indicates whether we collect data from them, share data with them, or both:

Type of third party Description Collect Share
iwoca Group Entities Our affiliated companies who we may refer you to for the provision of products and services.

Our investors.
Enfuce Financial Services Ltd and Enfuce UK Ltd Our key service provider for our Credit Card product.
Providers of third party products and services Third parties who we may refer you to for the provision of products and services.
Open Banking Platforms Third party providers of financial technology infrastructure, which include Truelayer, that connect us to our customers' business bank accounts via API's. With your consent they will send information they hold about your business bank account and transactions to us.
Credit Reference Agencies (CRAs) We share and collect information with CRA's for a variety of purposes which include:

Carrying out credit checks on you and your business for certain products and services.

Assessing your eligibility for products and services, which includes pre approvals.

Verifying the identity of you and others through our KYC checks.

Improving our credit risk models and subsequent credit decisions to help us make more precise and consistent lending decisions.

More detailed information about the CRAs we use and the processing that is carried out are set out in section 5 of this Privacy Policy.
Fraud prevention agencies We share and collect information with fraud prevention agencies, such as CIFAS, to prevent fraud and money laundering and to verify your identity.

Section 6 of this Privacy Policy provides further details.
Operational partners We use outsourced service providers who help us with processing some of our credit decisions, preventing fraud, and provide us with back office administrative support.
Data hosting, storage and security IT vendors, such as cloud storage providers, to securely store your personal data.
Payment processing partners / vendors Payment processors and banking partners to facilitate payment transactions.
Identity verification providers We use third parties, such as Onfido and IDVerse, to verify your identity.
Intermediaries (Brokers, Partners, iwocaPay Suppliers) We work with third parties who either introduce you to iwoca or submit applications for our products or services on your behalf.
Social Media Platforms We use social media platforms for market research, marketing campaigns (including targeted and retargeted advertising), and to measure the effectiveness of those activities.

These platforms may also check if you have an account with them and use the information they hold to show you relevant iwoca marketing.
Public data sources Companies House, LinkedIn, Company VAT Register, and other publicly available data sources.
Marketing, business development and sales partners We use third parties to generate marketing leads, enrich marketing lead contact data and support the creation and delivery of our marketing activities.
Data analytics We use data analytics and insight firms to improve data quality, assess marketing leads, optimise customer facing platforms, strengthen financial crime prevention controls, and generate synthetic data, among other purposes.
Telecommunications and Postal Services We use providers of phone, email, text, instant messaging (such as WhatsApp) and mail services to manage and deliver communications.
Government / law enforcement / regulative bodies We may share your data with governmental bodies, regulators, courts, or other authorities, including the HM Courts and Tribunals Service (HMCTS), UK Financial Conduct Authority, HM Home Office, HM Revenue and Customs, and law enforcement agencies, as required by law.
Debt Collection We may share your data with providers of commercial debt-collection services if we have to seek repayment of debts owed to us. This can include debt collectors, lawyers, tracing agents, insolvency practitioners, process servers and enforcement officers.
Providers of Artificial Intelligence (AI) Platforms We use third party AI platforms for a variety of data analysis and operational tasks which include:

Assisting data collection from you during our onboarding process.

Assisting data analysis of data submitted when applying for our Products and Services.

Analysing how our customers and others use the iwoca Products and Services and interact with the iwoca Platform.

Workflow automation of internal business processes.

Assisting with communications we send to you.

5. Credit Reference Agencies

In order to process your application (or an application for a credit product which you will guarantee), we will perform credit and identity checks on you with one or more credit reference agencies (Equifax, Experian and TransUnion). We may also make periodic searches at credit reference agencies to manage your account with us. 

If you are a director or beneficial owner, but you are not guaranteeing the credit product, we will perform identity checks with one or more credit reference agencies (Equifax, Experian and TransUnion) as part of this application. We may also make periodic searches at credit reference agencies to manage your account with us.

To do this, we will supply your name, date of birth and address history to the credit reference agencies and they will give us information about you. Credit reference agencies will supply to us both public (including electoral register) and shared credit, financial situation, financial history, and fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether your business can afford to take the product;
  • Verify your or others identity
  • Verify the accuracy of the data you have provided us;
  • Prevent criminal activity, fraud and money laundering;
  • Manage your account(s), including conducting ongoing credit checks to ensure that you or your business remains eligible for the agreed credit product;
  • Proactively offer pre approvals on our credit products once you have repaid a third of your balance and are eligible for a top-up or made your final repayment or cleared your outstanding balance, or where deemed compatible with the original purpose;
  • Tracing, collecting and recovering money that is owed to us; and
  • Improving our credit risk models and subsequent credit decisions, and ensuring any offers we provide are appropriate to you and your business’ circumstances.

In utilising the data held with credit reference agencies, in certain situations we must abide by the Principles of Reciprocity by contributing the same level of credit performance data that we receive. As such, we will continue to exchange information about your repayment history with credit reference agencies while you have a relationship with us. We will also inform the credit reference agencies about your settled accounts. If you borrow and do not repay in full and on time, credit reference agencies will record the outstanding debt. This information will be provided to other organisations that run a credit check on you with the credit reference agencies, such as other finance providers.

When credit reference agencies receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you have a financial associate, we will also receive information about their financial standing from the credit reference agencies. A financial associate is someone you’re linked to through joint finances or joint credit account.

The identities of the credit reference agencies, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share information, data retention periods and your data protection rights with the credit reference agencies are explained in the Credit Reference Agency Information Notice (“CRAIN”). The CRAIN document is accessible from each of the three credit reference agencies, or by clicking on each of these three links:

TransUnion CRAIN

Equifax CRAIN

Experian CRAIN

Information specific to the credit reference agencies and their partners role as fraud prevention agencies can also be found in the below two links:

Experian Identity and Fraud Privacy Notice

PayPoint Privacy Statement

We will also use Credit Reference Agency products and services to verify your business bank account details. To do so we will share your business bank account sort code and account number, plus your company name, company number and your company address.

6. Fraud prevention agencies

Before we provide credit products to your business, we undertake checks for the purposes of preventing fraud and money laundering, and to verify the identity of the guarantors of the credit product and the directors and beneficial owners of the business . These checks require us to process personal data about you if you are a guarantor, director or beneficial owner.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that we will process include, for example: name, address, date of birth, contact details, financial information, employment details and device identifiers including IP address.

We and fraud prevention agencies may also enable enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the financing your business has requested.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

7. Our key partners as Data Controllers

In addition to the above ways in which we process and share your personal data, iwoca also shares your data with companies who are integral in enabling us to offer some of the iwoca Products and Services to our customers. These companies become Data Controllers in relation to your personal data shared with them. That means if you want to exercise your data rights, you may need to contact them separately from iwoca.

7.1. Enfuce

If you are an iwoca Credit Card Customer, Enfuce Financial Services Ltd and Enfuce UK Ltd (“Enfuce”) provide the Credit Card operations under the iwoca Credit Card Program Terms and Conditions.

Who are Enfuce and why do they handle my data?

Enfuce is a Data Controller in relation to your card and all necessary activities relating to the operation of the card: allowing you to receive, activate and use your Card. The processing of your personal data is necessary for the performance of your contract for the issue and operation of cards and is necessary for compliance with legal and regulatory obligations applicable to Enfuce.

What personal data does Enfuce process?
Type of data Description
Personal information Full name, date of birth, and your home address
Contact information Where you live and how to contact you including phone numbers and email addresses
Transactional and card data Details about your Card, use of your Card and payments to and from your account.
Documentary data Details about you or others that are stored in documents and in various formats, or copies of them. This could include things like (without limitation) your passport, driver's license or birth certification collected to fulfil customer due diligence requirements.
Special category data Information relating to, and the results of, the biometric processing carried out by iwoca's identity verification partners Onfido and IDVerse.

Please note: Personal data will be collected directly and voluntarily from you by iwoca as part of the application process and on-going account management. iwoca will share this data directly with Enfuce where applicable. When iwoca shares your data with Enfuce, iwoca will act as a Data Processor and Enfuce will act as a Data Controller for this specific data sharing exercise. Personal data will also be collected directly from you by Enfuce as a result of transactions relating to your Card(s).

Does Enfuce send my personal data to any third parties?

Enfuce may share your personal data with third parties to deliver the Card services to you. These third parties include MasterCard, Visa and card manufacturers.

Data they process include personal details, contact information, transactional/card data, documentary data. They may send your data outside the UK/EU only under certain conditions and when ensuring appropriate safeguards are in place. They may use third parties (Mastercard, Visa, card manufacturing etc.) under legally binding terms.

More information in regards to how Enfuce will process your data can be found in their General Privacy and Data Protection Policy and Privacy notice for payment card users in the UK.

How to contact Enfuce:

You can contact Enfuce’s Data Protection Officer by emailing privacy@enfuce.com, or by mailing The Data Protection Officer, Enfuce UK Ltd, 90 High Holborn, London WC1V 6LJ, United Kingdom.

8. Sharing data with third party intermediaries

When you are referred to iwoca by a third-party intermediary (such as a Partner, Broker, or iwocaPay Supplier), we may share specific information about your application, business, or account with them. See below for examples:

  • For partners, brokers, or other referral platforms: We may share your application outcome and loan status, including your loan balance, repayment information, and eligibility to top up your loan, with the original referring party.
  • For affiliate link partners: We may report your company number, application outcome, and funding amount to the affiliate link partner.
  • For iwocaPay Suppliers: If an iwocaPay Supplier originally passed your details to us, or if you have engaged with one or more iwocaPay Suppliers, we may share your business name, the status of your credit application, and any available credit limit, with the relevant Suppliers on an on-going basis.

These third-party intermediaries act as independent Data Controllers, each with their own privacy policies and terms of service. iwoca is not responsible or liable for how these third parties process data or manage their linked websites. You should review their policies and contact them directly for more information.

9. Sharing your data with iwoca affiliates and third party providers of products and services available via the iwoca Platform

We may present or facilitate access to products and services offered by iwoca, affiliates or external partners. Their product or services may be featured on or integrated with the iwoca Platform, or we may contact you directly to see if they are of interest. Examples include the iwoca Credit Card, finding solutions for insurance coverage for your business, offering a tool that helps businesses understand, monitor, and improve their credit with regular guidance, and referring you to other lenders for credit related products.

10. How long we will retain your data for

We retain your personal data if you apply to receive iwoca products and services, and also if you apply but do not ultimately use them. This ensures that:

  • We maintain accurate records of all customer interactions, including applications and repayments;
  • We are able to respond to your questions or complaints, or to show whether we gave you fair treatment;
  • We can establish, exercise or defend legal claims;
  • We are able to analyse our customers data as part of our own research when this will not cause harm to your privacy and personal data protection rights;
  • We can comply with legal rules that apply to us about keeping customer records or information. 

We will retain your data for a minimum of seven years after you’ve started or made an application, or after you last had an active product or account with us. We may keep your personal data for a longer time depending on the laws applicable to us from time to time.

11. Transfer of your data outside the UK or EU

We store personal data in the UK or EU, but may occasionally transfer it to third parties outside these regions. Such transfers are protected to the same standard as within the UK and EU, using one or a combination of the following legal safeguards:

  • Transfer it to a non-UK or non-EU country with privacy laws that give the same protection as those under the UK or the EU (has “adequacy” status according to applicable data protection laws).
  • We use a contractual agreement to ensure recipients protect the data to UK and EEA standards
  • Use the standard contractual clauses, international data transfer agreements, and binding corporate rules approved by the UK or EU authorities under UK and EU data protection laws

When we transfer your personal data to countries without “adequacy” status using contractual instruments, we conduct transfer risk assessments to ensure sufficient additional safeguards are in place. This ensures your data continues to receive the same level of protection as it would in the UK or EU.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or EU.

12. Cookies and other tracking technologies

We use cookies and tracking technologies to enhance your experience, improve our services, maintain security, and show relevant advertising when you visit Our Website or use Our App. Cookies are small files stored on your device that send data back to the website or app and can simplify logging in and using our platform.

For more detailed information on what specific cookies we use, please refer to our Use of cookies page.

13. Your rights

Under the DPA 2018, UK GDPR, and DUAA 2025 you have the following rights:

  • Rectify any data about you that you think is incorrect and have us take reasonable steps to correct it for you.
  • Be informed about how we process your data.
  • Request the erasure of personal data concerning you in certain situations.
  • Access personal data and copies concerning you processed by us in the course of our relationship with you.
  • Object to the processing of personal data concerning you in certain situations for example, for direct marketing purposes.
  • Request human intervention or contest a decision when your personal data has been processed by automated means which produce legal effects concerning you or which similarly may significantly affect you.
  • Object to our continued processing of your personal data in certain situations.
  • Restrict our processing of your personal data in certain circumstances.
  • Move, copy or transfer your personal data to another service provider (where reasonable and proportionate for us to do so).
  • Make a complaint to iwoca if you think that we used your personal information in a way that doesn’t comply with the applicable data protection laws.

When you do so, we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request where applicable.

For more detail on specific rights, see guidance from the UK Information Commissioner’s Office (ICO).

14. How to contact us and how to complain

To exercise any of your rights, or should you have any query or concern about our use of your data, you can contact our Data Protection Officer (DPO). You can do this either by emailing dpo@iwoca.co.uk or mailing at iwoca Ltd, FAO Data Protection Officer (DPO), 1 Bedford Avenue London, WC1B 3AU.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to address your concerns before you approach the ICO so please contact us in the first instance.

15. Security

We implement appropriate security measures to prevent your personal data from being accidentally lost, accessed, misused or changed. Some measures include:

  • The pseudonymisation and encryption of personal data.
  • Ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems we use to process your personal data via implementation of role-based access controls, identity services and access management systems, confidentiality undertakings of our staff, regular data back-ups, 
  • Tools allowing us to restore the availability and access to your personal data quickly in the event of or technical incident. 
  • A process for regularly testing, assessing and evaluating the effectiveness of our technical and organisational security measures.

Access to your data is restricted to employees, agents, contractors, outsource providers and other third parties who process your personal data only on a ‘need-to-know’ basis, pursuant to our instructions, and who keep it strictly confidential. We have procedures in place to deal with any suspected personal data breaches and will notify you and any applicable regulator of a breach when legally required.

16. Keeping your data accurate

We will use reasonable efforts to ensure that your personal data is accurate, complete and up to date. Please make sure to notify us without undue delay if there are any changes in the personal data that you have provided to us by contacting us at the details provided in this Privacy Policy.

17. Updates to this Privacy Policy

We may update this Privacy Policy periodically to remain accurate. Whilst we encourage you to check back for updates from time to time, if you are a customer of iwoca we will communicate with you via email should we make any material changes to this policy. This Privacy Policy was last updated on 1st May 2026.