COLCAP UK PRIVACY POLICY

1. Who are we?
We are ColCap Financial UK Limited (company number: 14127877) (“ColCap”) (“we”, “our”, “us”).
Please read the following information carefully. If you have any questions about your personal data please chat with us through our web chat, or by emailing us at ColCap at legal@colcap.com.au or by writing to us at Data Protection Officer, ColCap Financial UK Limited, 84 Eccleston Square, Pimlico, London SW1V 1PX .

We’re registered with the Information Commissioner’s Office under number ZB393683 (ColCap).

2. Introduction
We are committed to protecting and respecting your privacy, being completely open and transparent in the way we collect or obtain your personal data and how we treat that information.
For the purposes of applicable data protection legislation, we are a data controller in respect of the information that we collect or obtain about you. This is because we determine why and how your personal data is processed.
Personal data includes information relating to natural persons who:

(a) can be identified or who are identifiable, directly from the information in question; or
(b) who can be indirectly identified from that information in combination with other information.

The personal data we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering, and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in this privacy notice.

Special Category Personal Data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation. We generally do not collect Special Category Personal Data and we further restrict collection of such data unless it is necessary for us to provide our Services to you and where we have either obtained your express consent or a permitted general situation exists. For example, we may collect health information about you to assess certain claims, including hardship, or we may collect voice biometric information to verify your identity or authorise transactions.

Credit Information is information which we use to assess your eligibility to be provided with credit and may include any credit that you have outstanding, your repayment history and any defaults. Usually, credit information is exchanged between credit providers and credit references agencies. We may use credit eligibility information being credit reporting information supplied to us by a credit reference agency, and any information that we derive from it to make decisions regarding your eligibility for credit.

3. Personal data collected on our Website
This privacy notice applies when you visit or use our website, mobile applications, APIs or when we are providing relevant services to you (the ‘Services’). We are committed to safeguarding the privacy of our website visitors and Service users.
By using our Services, you agree to the terms of this privacy notice.

4. Wish to Stay Anonymous?

You can withhold your personal data when speaking with us if you are making a general enquiry. However, if you wish for us to provide you with our Services, we will need to identify you.

5. How your information is collected
Most information will be collected from you personally, this can be taken by us:
(a) if you call or email us;
(b) when we provide our Services to you;
(c) when we manage our customer relationships and service provider relationships;
(d) from credit reference agencies and from mortgage brokers, mortgage managers, your representatives and other people such as accountants and lawyers;
(e) if you provide us with feedback or make a complaint;
(f) if we provide you with our Services;
(g) if you apply for an account with us;
(h) when CCTV footage is recorded at our offices or premises;
(i) your information that is in the public domain;
(j) if you subscribe to our newsletters and marketing lists;
(k) from third parties for e.g., following an introduction to us by another third party or comparison website; and
(l) other information that may be collected include details provided on a resume sent to us relating to an employment opportunity.

We may obtain your credit related personal data:
(a) When making an application or negotiating with a lender on your behalf.
(b) From a credit reference agency when we have obtained your credit report with your consent.
(c) We may also receive your personal data from another party by any other means. If we do, we will apply the applicable data protection legislation in deciding whether it is lawful to keep the information received.
(d) We may also receive your personal data from third parties that we deal with on your behalf including brokers and mortgage managers and from our other service providers.
(e) Any information we receive that we are not lawfully required to hold will be deleted or destroyed.

6. Why we process your personal data
The main reason we collect, use, hold and disclose personal data is to provide you with products and Services (including where applicable, third-party products and services) and to help us run our business. This includes:
(a) confirming your identity;
(b) checking whether you are eligible for our Services;
(c) assisting you where online applications are not completed;
(d) providing our products or Services to you, including administration of our Services and notifications about changes to our Services;
(e) helping manage the Service that we provide to you;
(f) helping us develop insights and conduct data analysis to improve the delivery of products, services, enhance our customer relationships and to effectively manage risks;
(g) minimise risks and identify or investigate fraud and other illegal activities;
(h) comply with laws and assist government or law enforcement agencies;
(i) record-keeping purposes, technical maintenance, obtaining or maintaining insurance coverage, managing risks or obtaining professional advice, managing our business – that is, to carry on our business activities and provide our Services to you;
(j) to prevent fraud, crime or other activity that may cause harm in relation to our Services and help us run our business and maintain integrity;
(k) bringing you new products and services;
(l) understanding your interests and preferences so we can tailor digital content;
(m) as permitted by law and to comply with legislative or regulatory requirements in any jurisdiction, for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure, to prevent; and
(n) in addition to the specific purposes for which we may process your personal data set out above, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

We may also use your personal data to tell you about our Services we think may interest you or for a purpose related to the primary purpose of collection or where you would reasonably expect that we would use the information in such a way, subject to legal restrictions on using your personal data for marketing purposes.
We may also de-identify your personal data which we have collected for the purposes described in this privacy notice. If we are dealing with a request you have made in order to exercise your legal and regulatory rights (including those referred to in the ‘Your rights under applicable data protection legislation’) below, this will be done in compliance with applicable data protection legislation.
Any consent that you give us will be as easy to withdraw as it was to give. Withdrawing your consent does not affect the lawfulness of any processing which occurred prior to the withdrawal of consent. If you withdraw your consent, we will stop processing your personal data where we have no legitimate right or business requirements to retain or process your personal data.

7. Who your personal data may be shared with
We may disclose your personal data:
(a) to any member of our corporate group of companies insofar as reasonably necessary for the purposes of this privacy notice and providing our Services, and on the legal bases allowed under the applicable data protection legislation and as set out in this privacy notice;
(b) to prospective funders or other intermediaries in relation to your credit requirements;
(c) to other organisations that are involved in managing or administering your credit such as third-party suppliers, brokers, mortgage managers, lenders mortgage insurers, trade insurers, valuers, third party service providers, service providers for the purposes of verifying your identity, surveyors, accountants, credit reference agencies, recoveries firms, debt collectors, lawyers, call centres, printing and postal services;
(d) to regulatory and supervisory bodies;
(e) to associated businesses that may want to market products to you;
(f) to companies that provide information and infrastructure systems to us;
(g) to anybody who represents you, such as mortgage brokers, mortgage managers, your representatives, lawyers, and accountants;
(h) related entities and third-party service providers who assist us in our operations and certain tasks including the verifying of your identity and information technology services;
(i) to our suppliers or subcontractors insofar as reasonably necessary to provide the relevant Services to you;
(j) to anyone, where you have provided us with your consent;
(k) where we are required to do so under anti-money laundering and counter-terrorism laws;
(l) to investors, agents or advisers, or any entity that has an interest in our business;
(m) organisations that provide products or services used or marketed by us; or
(n) to your employer or referees.
Prior to disclosing any of your personal data to another person or organisation, we will take all reasonable steps to satisfy ourselves that:
(i) the person or organisation has a commitment to protecting your personal data at least equal to our commitment;
(ii) is legally able to seek access to your personal data in accordance with applicable data protection legislation or any other laws; or
(iii) you have consented to us making the disclosure.

Circumstances may arise where, whether for strategic or other business reasons, we decide to sell, buy, merge or otherwise reorganise our business in some countries. Such a transaction may involve the disclosure of personal data to prospective or actual purchasers or receiving it from sellers. It is ColCap’s practice to seek appropriate protection for information, including personal data, in these types of transactions.

8. Overseas Recipients
Prior to disclosing your personal data to an overseas recipient, unless a permitted general situation applies, we will take all reasonable steps to ensure that:
(a) the overseas recipient does not breach the applicable data protection legislation;
(b) the overseas recipient is subject to a law, or binding scheme, or contractual terms that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way your personal data is protected under the applicable data protection legislation; or
(c) you have consented to us making the disclosure.
Acceptance of any of our Services via an application in writing, orally or electronic means, will be deemed as giving consent to the disclosures detailed herein.
Currently we are handling, storing, and processing your data in the following locations United Kingdom, Australia, Asia (Philippines via our call centre) and USA through the use of our cloud storage, technological products and services via other service providers.
The locations where we handle, store and process your data may change as our business needs changes and we appoint other service providers from time to time. Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place.

9. Direct Marketing
We may use your personal data for direct marketing. This means we may send information to you that relates to promotions within our group companies.
You have the right to object to our processing of your personal data for direct marketing purposes. If you make such an objection, we will cease to process your personal data for this purpose.
If you do not wish to receive marketing information, you may at any time decline to receive such information by contacting us using the contact information set-out in the ‘Introduction’ section of this privacy notice. If the direct marketing is by email, you may also use the unsubscribe function.
We will not sell your personal data to other companies or organisations.

10. Automated decision making

In order to be as efficient and streamline as possible, we may perform automated processing (i.e., processing that is carried out without human intervention) on your personal data, to evaluate certain things about you. In particular, we may do this to analyse or predict (amongst other things) your economic situation, credit history, age, personal preferences, interests or behaviour. This could mean that automated decisions (i.e., decisions that are made without human intervention) are made about you using your personal data. For example, if you do not meet an element of our lending criteria (such as being over 18 or being a resident in the UK) any application for credit will be automatically declined. If you do meet our eligibility criteria, whether we lend will then be determined by your credit status.
We may automatically decide that you pose a fraud or money laundering risk as a result of our fraud prevention searches or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making; if you want to know more, please contact us using the contact information set-out in the ‘Introduction’ section of this privacy notice.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. You can object to your personal data being used in this way. We are permitted to use automated decision-making in accordance with applicable data protection legislation. Where we engage in automatic decision-making or profiling in connection with a contract between us or further to your explicit consent, we implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention from us in the course decision-making process, and the opportunity to express your point of view and to contest the decision.

11. Fraud Prevention
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. The information we hold about you could make it easier or harder for you to get credit in the future. To find out more about the fraud prevention agencies we use and how they manage your information, please visit cifas.org.uk/fpn
If you have any questions about this, please contact us.

12. Credit information
Credit Reference Agencies (CRA) are authorised by law to handle your credit related information. If you apply for credit, we may disclose your personal data to, or collect personal credit related information from a CRA and other credit lending entities.
CRAs may include credit related information provided by us in reports provided to other credit providers to assist such other credit providers to assess the individual’s credit worthiness.
As permitted by law, we may collect, hold, use or disclose credit related information held about you for the purposes of:
(a) credit liability information being information about your existing credit which includes the name of the credit provider, whether the credit provider holds an appropriate licence, the type of credit, the day the credit is entered into, the terms and conditions of the credit, the maximum amount of credit available, and the day on which the credit was terminated;
(b) repayment history information which is information about whether you meet your repayments on time;
(c) information about the type of credit that you have applied for;
(d) assessing and forming decisions as to whether to provide you with credit or to accept a guarantor;
(e) participating in the exchange of credit related information with other credit providers including obtaining from and providing information to CRAs and other credit providers and/or trade suppliers;
(f) to assist you with debt management and administration;
(g) to provide you with our Services;
(h) default and payment information;
(i) to undertake debt recovery and enforcement activities, including in relation to guarantors, and to deal with serious credit infringements;
(j) court proceedings information;
(k) to deal with complaints and meet legal and regulatory requirements; and
(l) to assist other credit providers to do the same.
When we obtain credit information from a CRA about you, we may also seek publicly available information and information about any serious credit infringement that you may have committed.
When Credit reference agencies receive a search from us, they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRA’s will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRA to break that link.

13. Credit Information handling and Credit Reporting
In assessing your credit application and providing the Services to you, we may exchange your personal data, as well as your consumer and commercial credit information with the following entities, including but not limited:
(a) to obtaining credit information about you from Experian Limited (Experian) and we may provide to Experian your personal data with respect of your credit information and credit report and your data protection rights with Experian as a credit reference agency are explained in more detail in their information notice at: experian.co.uk/crain/index.html;
(b) other credit providers for the purposes of assessing your creditworthiness, credit standing, and credit history or credit capacity;
(c) finance brokers, mortgage managers, lawyers and such other persons who assist us to provide our Services to you;
(d) Our funders that we may use to provide the Services to you.
If you have been or have a reasonable belief that you are likely to be a victim of fraud, you can contact Experian’s victim of fraud support team who may be able to help you clear up your credit report after you have been a victim of ID fraud.

14. Updating your personal data
It is important to us that the personal data we hold about you is accurate and up to date. During the course of our relationship with you, we may ask you to inform us if any of your personal data has changed.
If you wish to make any changes to your personal data, you may contact us. We will generally rely on you to ensure the information we hold about you is accurate or complete.

15. Your rights under applicable data protection law
Your personal data is protected under data protection law and you have a number of rights (explained below) which you can seek to exercise. Please contact us using the contact information set-out in the ‘Introduction’ section of this privacy notice if you wish to do so, or if you have any queries in relation to your rights.
In this section we have summarised the rights that you have under applicable data protection laws. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
The summary of your principal rights under applicable data protection laws are:
(a) to request, at any time, for us to inform you of the personal data we hold about you;
(b) the right to access your personal data and we will respond to you within 30 days of making a request;
(c) the right to rectification of your personal data;
(d) the right to erasure (where we have no legitimate right or business requirements to retain your personal data);
(e) the right to restrict or object to processing (where we have no legitimate right or business requirements to process your personal data);
(f) you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you;
(g) the right to data portability which includes the right to receive, move, copy or transfer your personal data to another controller;
(h) the right to complain to a supervisory authority; and
(i) the right to withdraw your consent (where we have no legitimate right or business requirements to retain or process your personal data).
We may refuse to give you access to personal data we hold about you if we reasonably believe that giving access would pose a serious threat to the life, health or safety of an individual, or to the public health or safety, where giving access would be unlawful, where giving access would have an unreasonable impact on the privacy of other individuals, if there are legal proceedings, or if we consider the request to be frivolous or vexatious.

16. Children’s privacy
We are committed to protecting the privacy needs of children and we encourage parents and guardians to take an active role in their children’s online activities and interests. We do not knowingly collect information from children under the age of 18 and we do not target our Website or any of our services to children under the age of 18.

17. Keeping your personal data secure
We are committed to protecting the information you provide us. To prevent unauthorised access or disclosure, to maintain data accuracy, and to ensure the appropriate use of the information, we have in place appropriate technological and operational procedures to safeguard the information we collect.
We will take reasonable steps to protect your personal data by storing it in a secure environment. We may store your personal data in paper and electronic form. We will also take reasonable steps to protect any personal data from misuse, loss and unauthorised access, modification or disclosure.
If we are no longer required or wish to keep your personal data for the purpose it was collected, we will securely destroy it or remove all identity features from the information unless we are legally required to keep it for a period of 6 years after an account is closed.

18. How we monitor your communications
Subject to applicable laws, we will monitor and record calls, emails, text messages, social media messages and other communications. We will do this for the purposes of complying with applicable laws and regulations and our own internal policies and procedures, to prevent or detect crime, to protect the security of our communications systems and procedures and for quality control and staff training purposes.

19. How long will your personal data be stored for
We only keep your personal data for as long as it is necessary to fulfil the purposes for which it is processed (as described above). In accordance with our retention policy, we will retain your personal data for a minimum of six years from the end of our business relationship with you. Our business relationship will be deemed to be at an end on the date upon which your account is closed (which will either be when all outstanding sums under the agreement have been repaid or when we stop pursuing arrears on the account) or when your application has been declined. Please note that if your personal data is shared with third parties (as detailed above) they may have different retention policies. Fraud prevention agencies can hold your personal data for different periods of time; if you are considered to pose a fraud or money laundering risk, note that your data can be held by them for up to six years.

20. What to do if you have concerns or want to make a complaint
If you have any concerns regarding our use of your information, please notify our as soon as possible using the contact information set-out in the ‘Introduction’ section of this privacy notice. If we cannot resolve a complaint to your satisfaction, you can contact the Information Commissioner’s Office at www.ico.org.uk or by telephoning 0303 123 113 if the complaint relates to the way your personal data has been handled.

21. Changes to this privacy notice
We may update this privacy notice from time to time by publishing a new version on our website.
You should check this page occasionally to ensure you are happy with any changes to this privacy notice and keep a copy for your records. We will not file a copy of this privacy notice on each individual’s file that we have.

This privacy notice is version 1.0 dated 28 October 2022.