We've sent you an email with a link to reset your password.
Contact us if you don't receive this within the next few minutes.
At iwoca Ltd, we're committed to keeping your information private and secure. This notice sets out the personal data we collect and what we will do with it.
If you have any questions about this policy, you can email as at firstname.lastname@example.org or call us on 020 3778 0105. You can also write to us at 247 Tottenham Court Road, London W1T 7QX.
You can also contact our Data Protection Officer by emailing email@example.com
We will collect personal data on anyone who submits an application to iwoca, any additional directors or shareholders of a limited company, any partners of a limited liability partnership and any loan guarantors.
We may collect and process the following personal data about you:
This information may have been collected directly from you through your online account or may have been submitted by someone else, such as another director of the company or a broker. We may also obtain information about you from credit reference and fraud prevention agencies, please see the section on data sharing below for more detail.
Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
Your personal data will be used to prevent fraud and money laundering, and to verify your identity. The personal information that will be processed as part of such checks includes the type of personal data described above.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, in order to protect our business and to comply with laws. Such processing is also a contractual requirement of the services or financing you have requested.
Below is a list of the other ways in which we may use your personal data, the reasons we rely on to do so and what our legitimate interests are.
|Processing activity||Reasons||Our legitimate interests|
|Where you are a sole trader or a guarantor, conducting personal credit checks as described below||
To fulfill our contract with you
To comply with our legal obligations
For our legitimate interests
|Assessing you/your business’ eligibility for credit|
|Setting up, administering and managing our customers’ accounts||Effectively managing our relationship with you and your business|
|Conducting risk modelling and analysis||For our legitimate interests||Continuously improving the services that we provide to you and other customers|
|Marketing our products and services to you (which you can choose to opt-out from)||Working out which of our products and services may interest you and telling you about them|
In some instances, we may use your data in ways that are not described above. However, we will inform you before doing so.
We may share your personal information with third parties in the following circumstances:
In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (either Equifax, Experian or Callcredit). We may also make periodic searches at credit reference agencies to manage your account with us.
To do this, we will supply your name, date of birth and address history to the credit reference agencies and they will give us information about you. Credit reference agencies will supply to us both public (including electoral register) and shared credit, financial situation, financial history, and fraud prevention information.
We will use this information to:
In utilising the data held with credit reference agencies, we must abide by the Principles of Reciprocity by contributing the same level of credit performance data that we receive. As such, we will continue to exchange information about your repayment history with credit reference agencies while you have a relationship with us. We will also inform the credit reference agencies about your settled accounts. If you borrow and do not repay in full and on time, credit reference agencies will record the outstanding debt. This information will be provided to other organisations than run a credit check on you with the credit reference agencies, such as other finance providers.
When credit reference agencies receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
The identities of the credit reference agencies, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share information, data retention periods and your data protection rights with the credit reference agencies are explained in the Credit Reference Agency Information Notice (“CRAIN”). The CRAIN is accessible from each of the three credit reference agencies - clicking on each of these three links will take you to the same CRAIN document:
We run external fraud checks which involve sharing some of your personal data with third party fraud prevention agencies. The information we share with those third parties includes some of the information that you share with us (such as, your email address), and some of the information from your online interactions (such as the IP address of your device).
These agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.
Whenever fraud prevention agencies transfer your personal data outside of the EU, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the EU. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Good Data Lab, mentioned above, is based in Hyderabad, India. Strict controls are in place to monitor the operations of Good Data Lab and our contract with them includes the EU’s Standard Contractual Clauses which ensure adequate safeguards for your data and privacy rights.
When sharing your personal data with other 3rd party processors as described above, this data may be may stored on databases outside of the EU. In such cases, we will impose contractual obligations on them in order to protect your data to the standard required in the EU and ensure that your data and privacy rights are not infringed. This may also involve requiring third parties to subscribe to recognised international frameworks intended to enable secure data sharing, for example the Standard Contractual Clauses, or, where the personal data is transferred to the USA, the Privacy Shield certification program.
Standard Contractual Clauses and confirmation of Privacy Shield certification are available on request.
We may also automatically decide whether or not to lend to you or your business, how much to lend, at what interest rate and under what terms.
You have rights in relation to automated decision making, such as the right to request human intervention or challenge a decision in certain circumstances. If you want to know more, please contact us using the contact details above.
The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested deletion of the data, and whether we have any legal obligation to retain the data (for example, for regulatory compliance). We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected. For example, we will typically keep your data for up to 10 years after you last had an active account or product with us, or after you made or started an application. We may keep your personal data for a longer period where it is necessary for legal, regulatory or operational purposes.
We implement, and regularly review, technical and organisational measures designed to protect personal data that we process from unauthorised disclosure, use, alteration or destruction. For example, we limit staff access to personal data and enforce two-factor authentication.
Your personal data is protected by legal rights, which include your right to:
For more information or to exercise your data protection rights, please contact us using the contact details above.
You also have a right to complain to the Information Commissioner’s Office, which is the UK regulator which upholds rights in relation to individual’s personal data.
We may update this notice (and any supplemental privacy notice), from time to time. We will notify of the changes where required by law to do so.
Last modified - May 2018