How we collect and use your personal information.

1. Introduction

CapitAll Finance Holdings Ltd respects your privacy and is committed to protecting personal information. This policy explains what information we collect, where it comes from, how we use it, who we may share it with, how long we keep it and the rights you may have under data protection law.

This policy should be read together with any other privacy notice, fair processing notice, loan documentation, broker documentation or transaction document we provide on a specific occasion.

2. Who we are

CapitAll Finance Holdings Ltd is registered in England and Wales, company number 17069620. CapitAll A Limited is registered in England and Wales, company number 17095446. CapitAll A Limited is the lender of record and is a subsidiary of CapitAll Finance Holdings Ltd. CapitAll A Limited is registered with the Financial Conduct Authority for anti-money laundering supervision under Firm Reference Number 1055075. This does not mean that all products or services on this website are regulated by the Financial Conduct Authority.

For the purposes of this policy, CapitAll Finance Holdings Ltd is the controller responsible for deciding how personal information is used. Our Data Protection Lead is Richard Whitehouse.

3. Who this policy applies to

This policy may apply to applicants, borrowers, guarantors, chargors, directors, shareholders, PSCs, UBOs, introducers, brokers, funders, professional counterparties, complainants, website users, enquirers, suppliers, service providers and CapitAll personnel.

If you provide personal information about another person, you must have authority to do so and should make sure they are aware of this policy where appropriate.

4. Information we collect

• Identity and contact details, including name, date and place of birth, nationality, address history, email, phone number and KYC images or video where required.
• KYC documents, including passport or ID, driving licence, proof of address, company extracts, structure charts, trust deeds, resolutions and mandates.
• Corporate and ownership information, including directorships, PSC/UBO data, shareholdings, control arrangements and authority to borrow or charge.
• Financial and credit information, including assets, liabilities, bank statements, income or affordability information where relevant, credit, CCJ and insolvency data.
• Property and security information, including title, tenure, planning, licensing, tenancy schedules, insurance, valuation outputs and related photographs.
• Transaction and performance information, including terms, drawdowns, repayments, redemptions, completion statements, distribution schedules and monitoring outcomes.
• Screening and risk information, including sanctions, PEP, adverse media, ongoing monitoring alerts and AML/CTF/PF risk notes.
• Technical, usage, communications, file-note, complaint and correspondence information.

5. How we collect information

We may collect information directly from you through forms, email, calls, meetings, documents and correspondence. We may also receive information from introducers, brokers, funders, solicitors, valuers, surveyors, insurers, screening providers, identity providers, credit reference agencies, company registries, property registries and lawful public sources, including Companies House, Land Registry and open-source media.

We may monitor or record calls, emails, messages or other communications where lawful and appropriate for business, training, compliance, evidence, security, system operation, crime prevention or dispute-management purposes.

6. How we use your information

• To respond to enquiries and communicate with applicants, borrowers, guarantors, introducers, brokers, funders and professional counterparties.
• To assess, originate, underwrite, administer, service and monitor loans.
• To prepare offers, security, drawdowns, completion records, servicing records and enforcement records.
• To carry out AML, CTF, PF, sanctions screening, fraud prevention, recordkeeping and regulatory checks.
• To verify identity, ownership, authority, title, valuation, insurance and security information.
• To assess borrower profile, property risk, leverage, exit route, funding availability and portfolio risk.
• To manage payments, fees, charges, repayments, arrears, defaults, variations, redemptions, enforcement and recoveries.
• To manage queries, complaints, claims, audits, legal obligations, security incidents and business records.
• To administer, protect, maintain and improve our website, systems, business operations and communications.

7. Lawful basis

We only use personal information where the law allows us to. The lawful bases we may rely on include contract, legal obligation, legitimate interests, consent where required, fraud prevention, regulatory requirements and legal claims.

8. Special category and criminal-offence data

We do not set out to collect special category or criminal-offence data unless it is necessary and lawful. We may incidentally process this type of information where it is revealed by sanctions, PEP, adverse media, court judgment, insolvency, fraud, enforcement or due diligence checks.

Where this information is processed, we do so for purposes such as regulatory compliance, prevention or detection of crime, legal claims, risk assessment and responsible lending controls, with access limited to those who need it.

9. Children and minors

Our website and services are not intended for children. We do not knowingly collect personal information from children through this website. If information relating to a minor is relevant to a transaction, it should only be provided where lawful and necessary.

10. If you do not provide information

Where we need information to assess an enquiry, comply with law, perform due diligence, prepare documents, complete a transaction or manage a loan, failure to provide it may mean we cannot proceed, must delay a transaction, withdraw terms, decline an application or take other steps required by law or policy.

11. Keeping information accurate

It is important that the personal information we hold about you is accurate and current. Please tell us if your personal information changes during your relationship with us.

12. Change of purpose

We will normally use personal information only for the purpose for which it was collected, unless we reasonably consider that we need to use it for another compatible purpose. If we need to use it for an unrelated purpose, we will explain the legal basis where required.

We may process information without further notice where this is required or permitted by law.

13. Sharing your information

We share information only where necessary and proportionate. This may include introducers, brokers, borrowers, guarantors, funders, solicitors, valuers, surveyors, insurers, screening providers, identity-check providers, credit agencies, monitoring providers, IT providers, secure document storage providers, payment providers, regulators, courts, law enforcement and other transaction parties.

We do not sell personal data. We require service providers to treat personal information securely and only use it for authorised purposes. Where service providers process personal information for us, we expect appropriate data processing terms to be in place.

14. International transfers

Some service providers may access or process personal information outside the UK. If personal information is transferred to a country without UK adequacy regulations, we use appropriate safeguards such as contractual protections, transfer assessments or equivalent data protection safeguards.

15. Marketing

We may send information about CapitAll products, services or updates similar to those you already use or enquire about. You can opt out at any time using the unsubscribe link or by contacting us. Where consent is required for electronic marketing, we will seek consent.

We will not share your information with unrelated third parties for their own marketing purposes without your consent where consent is required.

16. Cookies

Our website may use essential cookies to operate properly. We may also use analytics, performance or tracking tools to understand website usage, measure performance and improve the website. You can usually set your browser to refuse cookies or alert you when cookies are being used, but some parts of the website may not work properly if cookies are disabled.

17. Data security

We use technical and organisational measures appropriate to risk, including access controls, role-based permissions, encryption where practicable, multi-factor authentication, secure configuration, vendor due diligence, confidentiality controls, logging, monitoring, staff training and incident response procedures.

We limit access to personal information to those who have a business need to know and are subject to confidentiality or appropriate handling obligations.

18. Data retention

We keep personal information only as long as needed for the purposes described in this policy and to comply with law. Loan, AML/KYC, screening, source of funds, source of wealth and decision records are normally kept for at least 5 years from the end of the business relationship or last transaction, and may be kept for up to 6 years or longer where needed for limitation, claims, legal, regulatory, audit, enforcement or recovery purposes.

Contracts, security and legal documents may be kept for 6 years after expiry or enforcement. Complaints are normally kept for 3 years after closure. Breach and data request logs are normally kept for 3 years after closure. Vendor and processor due diligence records may be kept for the life of the contract plus 3 years.

19. Automated decisions

We do not make lending or other decisions with legal or similarly significant effects solely by automated means. Any automated risk screening or scoring is reviewed and confirmed by a human decision-maker.

20. Your legal rights

• Right of access — you can ask whether we hold personal information about you and request a copy.
• Right to rectification — you can ask us to correct incomplete or inaccurate information.
• Right to erasure — you can ask us to delete information in certain circumstances.
• Right to restrict processing — you can ask us to restrict processing in certain circumstances.
• Right to object — you can object to processing based on legitimate interests and to direct marketing.
• Right to data portability — where applicable, you can request data in a structured, commonly used and machine-readable format.
• Right to withdraw consent — where we rely on consent, you can withdraw it at any time.

These rights are not absolute and may be subject to lawful limitations, including where information must be retained for compliance, fraud prevention, regulatory, recordkeeping or legal claims purposes.

21. Exercising your rights

To exercise your rights, contact the Data Protection Lead using the details below. We may need to verify your identity before responding. We normally respond within one month of receiving a verified request. There is normally no fee, but we may charge a reasonable fee or refuse requests that are manifestly unfounded, excessive or repetitive.

22. Complaints

If you are unhappy with how we handle your personal information, you can contact us first so we can try to resolve the issue. You also have the right to complain to the UK Information Commissioner’s Office.
ICO website: www.ico.org.uk
ICO telephone: 0303 123 1113
ICO address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

23. Contact

24. Updates

We may update this policy from time to time. The latest version will be made available on our website, on request or with relevant loan application documentation. Material changes will be highlighted where appropriate.