Welcome to iwoca’s privacy notice.
At iwoca, we respect your privacy and are committed to protecting your personal data. This privacy notice will let you know how we will collect, process and protect your personal data.
The data controller is iwoca Ltd. However, if you are approved for a CBILS loan, funding may be provided by iwoca Skye Finance Ltd, in which case that entity will be the data controller.
If you have any questions about this privacy notice, you can contact us in the following ways:
Email address: contact@iwoca.co.uk (or you can contact our Data Protection Officer by emailing dpo@iwoca.co.uk)
Postal address: iwoca Ltd, 247 Tottenham Court Road, London, W1T 7QX
Telephone number: 020 3397 3375
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to address your concerns before you approach the ICO so please contact us in the first instance.
We will only use your personal data when the law allows us to. The most common bases for processing your data are the following:
What do we mean by ‘legitimate interests’?
There are some processing activities which do not fall within other lawful bases (e.g. it’s not a legal obligation or contractual requirement) but are still necessary for a legitimate purpose that we are trying to achieve (such as sending you a letter about a new product). This isn’t a catch-all that allows us to process your data for any reason, we can only rely on this lawful basis if it’s necessary to achieve a particular purpose and if we’ve balanced our interests against yours.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, along with the lawful basis on which we will do so. We have also identified what our legitimate interests are where appropriate.
| Processing activity | Lawful basis |
|---|---|
| Application details to conduct a creditworthiness assessment | To work out product eligibility as a required step of entering into a contract with you. |
| Incoming payments, debit card payments and funding | Necessary under our contract with you |
| Where you are a sole trader, beneficial owner, director or a guarantor, conducting personal credit, fraud and KYC checks | In order to enter into a contract with you and to comply with our legal obligations |
| Setting up, administering and managing our customers’ accounts | Necessary under our contract with you |
| Marketing our products and services to you (which you can choose to opt-out from) | For our legitimate interests in the direct marketing of our products and services |
| Credit Reference Agency checks | As a prerequisite of entering into a contract with you |
| Fraud Prevention Agency checks | As a prerequisite of entering into a contract with you. |
| Anti-Money Laundering checks | To fulfil our legal/regulatory obligations |
| Complaints handling | To fulfil our legal/regulatory obligations |
| Arrears management (including the instruction of third parties) | Necessary under our contract with you |
| Recording personal data concerning the mental/physical health of our customers | We will obtain your consent but may also apply our legitimate interests to determine the right outcome for you |
| Call recordings and audio transcriptions | For our legitimate interests to respond to complainants and for staff training purposes |
| Targeted advertising service | For our legitimate interests to define types of customers for our products and services |
In some instances, we may use your data in ways that are not described above. However, we will inform you before doing so.
We may receive personal data about you from third parties under the following circumstances:
In order to process your application (or an application for a credit facility which you will guarantee), we will perform credit and identity checks on you with one or more credit reference agencies (Equifax, Experian and TransUnion). We may also make periodic searches at credit reference agencies to manage your account with us.
To do this, we will supply your name, date of birth and address history to the credit reference agencies and they will give us information about you. Credit reference agencies will supply to us both public (including electoral register) and shared credit, financial situation, financial history, and fraud prevention information.
We will use this information to:
In utilising the data held with credit reference agencies, we must abide by the Principles of Reciprocity by contributing the same level of credit performance data that we receive. As such, we will continue to exchange information about your repayment history with credit reference agencies while you have a relationship with us. We will also inform the credit reference agencies about your settled accounts. If you borrow and do not repay in full and on time, credit reference agencies will record the outstanding debt. This information will be provided to other organisations that run a credit check on you with the credit reference agencies, such as other finance providers.
When credit reference agencies receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share this information with them, before completing the application.
The identities of the credit reference agencies, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share information, data retention periods and your data protection rights with the credit reference agencies are explained in the Credit Reference Agency Information Notice (“CRAIN”). The CRAIN document is accessible from each of the three credit reference agencies, or by clicking on each of these three links:
Before we provide financing to your business, we undertake checks for the purposes of preventing fraud and money laundering, and to verify the identity of the guarantors. These checks require us to process personal data about you if you are a guarantor.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
Details of the personal information that we will process include, for example: name, address, date of birth, contact details, financial information, employment details and device identifiers including IP address.
We and fraud prevention agencies may also enable enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the financing your business has requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
In addition to the credit reference and fraud prevention agencies described above, we may also share your personal data with the following third party data processors who will assist us in providing our services to you:
Social media sites, for the purposes of conducting market research and running marketing campaigns (it is important to note that, when sharing data with these sites, we ensure that your data is only used in accordance with our instructions).
If your details were originally passed to us via a partner, broker or other such referral platform, we may report your application outcome and loan status back to that platform. Likewise, you may also agree to us introducing you to other lenders, in which case, we may pass information about you and your business (and other information in support of your application) to those lenders.
We instruct third parties to act on our behalf in order to collect an outstanding debt. This can include debt collectors, lawyers, tracing agents, process servers and enforcement officers.
Your personal data will be shared within the iwoca group of companies and details of our loan book are also shared with our investors and third parties acting on their behalf. This data can include details of guarantors (including their credit score).
Some of the data processors we use are outside the EU, or may host your personal data outside the EU.
Whenever we transfer your personal data out of the EU, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:
Some of our providers will have binding corporate rules in place, see European Commission: Binding Corporate Rules.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EU.
We may also automatically decide whether or not to lend to you or your business, how much to lend, at what interest rate and under what terms.
You have rights in relation to automated decision making, such as the right to request human intervention or challenge a decision in certain circumstances. If you want to know more, please contact us using the contact details above.
The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested deletion of the data, and whether we have any legal or regulatory obligation to retain the data. We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected. We will typically keep your data for up to 10 years after you last had an active account or product with us, or 7 years after you made or started an application. We may keep your personal data for a longer period where it is necessary for legal, regulatory or operational purposes.
You have rights under the data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:
Where the lawful basis for processing your personal data (see section 3 above) is your consent, then you will also have the right to withdraw your consent at any time. If you wish to exercise any of the rights set out above, please call, email or write to us. When you do so, we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Last updated - April 2020