Welcome to iwoca’s privacy notice.

1. What is the purpose of this document?

At iwoca, we respect your privacy and are committed to protecting your personal data. This privacy notice will let you know how we will collect, process and protect your personal data.

The data controller is iwoca Ltd. However, if you are approved for a CBILS or RLS loan, funding may be provided by iwoca Skye Finance Ltd, in which case that entity will be the data controller.

2. Contact Details

If you have any questions about this privacy notice, you can contact us in the following ways:

Email address: contact@iwoca.co.uk (or you can contact our Data Protection Officer by emailing dpo@iwoca.co.uk)

Postal address: iwoca Ltd, 101 New Cavendish St, London, W1W 6XH

Telephone number: 020 3397 3375

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to address your concerns before you approach the ICO so please contact us in the first instance.

3. How we use your personal data

We will only use your personal data when the law allows us to. The most common bases for processing your data are the following:

• The processing is necessary under a contract we have with you, or is necessary in order to enter into a contract with you;
• Where we need to comply with a legal obligation; or
• Where it is necessary for our legitimate interests.

‍

What do we mean by ‘legitimate interests’?

There are some processing activities which do not fall within other lawful bases (e.g. it’s not a legal obligation or contractual requirement) but are still necessary for a legitimate purpose that we are trying to achieve (such as sending you a letter about a new product). This isn’t a catch-all that allows us to process your data for any reason, we can only rely on this lawful basis if it’s necessary to achieve a particular purpose and if we’ve balanced our interests against yours.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, along with the lawful basis on which we will do so. We have also identified what our legitimate interests are where appropriate.

‍

‍

In some instances, we may use your data in ways that are not described above. However, we will inform you before doing so.

4. The data we collect about you (from third parties)

We may receive personal data about you from third parties under the following circumstances:

• If you are the borrower, or main guarantor for your company, we receive information about your financial standing (including your credit score and repayment history) and address history from credit reference agencies. We will also receive information from fraud agencies on any fraudulent activity reported by other financial institutions (this will include instances in which you were a victim of fraud); 
• If you are an additional guarantor, your name, date of birth and contact details would have been provided to us by the main guarantor. We will also collect the information listed above from credit reference and fraud agencies; 
• If you are a director or beneficial owner of one of our customers, your name, date of birth and address will have been provided to us by the main guarantor;
• If your application was referred to us by one of our partners or brokers, then they will provide us with all information required in order to make a decision;
• If you link your bank account as part of a credit application, we will receive the transaction history on your account directly from your bank; 
• If you are financially associated with a borrower or guarantor (via a joint bank account or mortgage, for example), we will also receive information about your financial standing from the credit reference agencies; and
• We obtain marketing data from third party lead generators. If your business is included in this data, it may also include your name and contact details.
• Information about your business or company, such as previous credit applications and the conduct of your accounts, and similar personal credit information

5. Credit reference agencies

If you are a iwoca credit facility customer, in order to process your application (or an application for a credit facility which you will guarantee), we will perform credit and identity checks on you with one or more credit reference agencies (Equifax, Experian and TransUnion). If you are an iwocaPay Seller, in order to onboard you we will perform identity checks on you with one or more credit reference agencies (Equifax, Experian and TransUnion).

If you are a director or beneficial owner, but you are not guaranteeing the credit facility, we will perform identity checks with one or more credit reference agencies (Equifax, Experian and TransUnion) as part of this application. We may also make periodic searches at credit reference agencies to manage your account with us

To do this, we will supply your name, date of birth and address history to the credit reference agencies and they will give us information about you. Credit reference agencies will supply to us both public (including electoral register) and shared credit, financial situation, financial history, and fraud prevention information.

We will use this information to:

• Assess your creditworthiness and whether your business can afford to take the product;
• Verify your identity;
• Verify the accuracy of the data you have provided us;
• Prevent criminal activity, fraud and money laundering;
• Manage your account(s), including conducting ongoing credit checks to ensure that you or your business remains eligible for the agreed credit facility;
• Trace and recover debts; and
• Ensure any offers we provide are appropriate to you and your business’ circumstances.

‍

In utilising the data held with credit reference agencies, we must abide by the Principles of Reciprocity by contributing the same level of credit performance data that we receive. As such, we will continue to exchange information about your repayment history with credit reference agencies while you have a relationship with us. We will also inform the credit reference agencies about your settled accounts. If you borrow and do not repay in full and on time, credit reference agencies will record the outstanding debt. This information will be provided to other organisations that run a credit check on you with the credit reference agencies, such as other finance providers.

When credit reference agencies receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you have a financial associate, we will also receive information about their financial standing from the credit reference agencies. A financial associate is someone you’re linked to through joint finances or joint credit account.

The identities of the credit reference agencies, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share information, data retention periods and your data protection rights with the credit reference agencies are explained in the Credit Reference Agency Information Notice (“CRAIN”). The CRAIN document is accessible from each of the three credit reference agencies, or by clicking on each of these three links:

• TransUnion CRAIN
• Equifax CRAIN
• Experian CRAIN
• Experian Identity and Fraud privacy notice

6. Fraud prevention agencies

Before we provide financing to your business, we undertake checks for the purposes of preventing fraud and money laundering, and to verify the identity of the guarantors. These checks require us to process personal data about you if you are a guarantor.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that we will process include, for example: name, address, date of birth, contact details, financial information, employment details and device identifiers including IP address.

We and fraud prevention agencies may also enable enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the financing your business has requested.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

7. Who we share your personal data with

In addition to the credit reference and fraud prevention agencies described above, we may also share your personal data with the following third party data processors who will assist us in providing our services to you:

• providers of software platforms (such services will include email, marketing data analytics, identify verification, lead management, hosting and data storage);
• outsourced service providers who process some of our applications and help us make fast decisions;
• to our suppliers, sub-contractors and third parties (which can include payment processors, marketing and sales outreach providers; providers of telecommunications and postal services; and professional advisers)
• social media sites, for the purposes of conducting market research and running marketing campaigns (it is important to note that, when sharing data with these sites, we ensure that your data is only used in accordance with our instructions)
• if we are required to do so by applicable law and regulation or by any governmental, tax, regulatory body or law enforcement agency;
• with any third party you have given us permission to share your personal data with

‍

If your details were originally passed to us via a partner, broker or other such referral platform, we may report your application outcome and loan status back to that platform. Your loan status includes your loan balance, information on your repayments, and your eligibility to top up your loan. Likewise, you may also agree to us introducing you to other lenders, in which case, we may pass information about you and your business (and other information in support of your application) to those lenders.

We instruct third parties to act on our behalf in order to collect an outstanding debt. This can include debt collectors, lawyers, tracing agents, insolvency practitioners, process servers and enforcement officers.

Your personal data, as well as details of our loan book, will be shared within the iwoca group of companies and with our investors and third parties acting on their behalf. This data can include details of guarantors (including their credit score).

8. International transfers

Some of the data processors we use are outside the EU, or may host your personal data outside the EU.

Whenever we transfer your personal data out of the EU, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

• Your personal data is transferred to a country that has been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;
• Where we use certain service providers, we may use specific contracts approved by the European Commission which gives your personal data the same protection it has in the EU. For further details, see European Commission: Model contracts for the transfer of personal data to third countries;
• We will be introducing International Data Transfer Agreements, and International Data Transfer Addendums in line with UK GDPR requirements. See International Data Transfer Agreement and guidance;
• Some of our providers will have binding corporate rules in place, see European Commission: Binding Corporate Rules.

‍

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EU.

9. Automated decisions

We may also automatically decide whether or not to lend to you or your business, how much to lend, at what interest rate and under what terms.

You have rights in relation to automated decision making, such as the right to request human intervention or challenge a decision in certain circumstances. If you want to know more, please contact us using the contact details above.

10. How long we will retain your data for

The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested deletion of the data, and whether we have any legal or regulatory obligation to retain the data. We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected. We will typically keep your data for up to 7 years after you last had an active account or product with us, or 7 years after you made or started an application. We may keep your personal data for a longer period where it is necessary for legal, regulatory or operational purposes.

11. Your legal rights

You have rights under the data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:

• The right to be informed
• The right of access
• The right to get your data corrected
• The right to get your data deleted
• The right to object to the use of your data
• The right to limit how organisations use your data
• The right to data portability

‍

Where the lawful basis for processing your personal data (see section 3 above) is your consent, then you will also have the right to withdraw your consent at any time. If you wish to exercise any of the rights set out above, please call, email or write to us. When you do so, we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12. Changes to this document

We will amend this Privacy Policy from time to time to comply with applicable laws and regulations or to meet our changing business requirements. You are encouraged to periodically review this page for the latest information on our privacy practices and amendments to our Privacy Policy.

‍

Last updated - June 2025

‍

‍