Privacy Notice

Privacy Notice

Effective from 1 March 2024

Introduction

This privacy notice explains how we use your personal information, sets out your rights under the new laws and explains how the law protects you.

“Personal information” means information about a living individual who can be identified from that information (either by itself or when it is combined with other information). If we provide you or a business in which you are financially linked with a product or service, then we will use your personal information in the ways set out in this notice.

We are unable to provide you with a product or service or to process your application without having personal data about you. Your personal data is required before you can enter into the relevant contract with us, or it is required during the life of that contract, or it is required by laws that apply to us. If we already hold some of the personal data that we need – for instance if you are already a customer – we may not need to collect it again when you make your application.

If you make an application for your business, we will also collect the personal data about all individuals who are linked to the business, for example beneficial owners, directors or officers of your company, who you must include on the application form. You must show the Privacy Notice to all the linked individuals and ensure they know you will share their personal data with us for the purposes described in it. In addition, we ensure this Privacy Notice is accessible by all prospective customers via our website, we will share it with you when you onboarding as a customer, and we make it available at all times within our customer portals.

We may update our Privacy Notice from time to time. When we do we will publish the updated Privacy Notice on our website. We would encourage you to visit our website regularly to stay informed of the purposes for which we process your information and your rights to control how we process it.

Who are we?

DF Capital Group is made up of DF Capital Bank Limited and DF Capital Financial Solutions Limited, which are subsidiaries of Distribution Finance Capital Holdings plc, registered in England and Wales (company number: 10198535). Registered office: St James’ Building, 61-95 Oxford Street, Manchester M1 6EJ. DF Capital Bank Limited is authorised by the Prudential Regulation Authority (PRA) and regulated by the Financial Conduct Authority (FCA) and the PRA (Financial Services Register No. 848291). DF Capital Financial Solutions Limited is not authorised by the PRA or FCA, its commercial lending products are not regulated. It is supervised by the FCA for anti-money laundering purposes only.

DF Capital Bank Limited and DF Capital Financial Solutions Limited are registered with the Information Commissioner Office (ICO) (registration no ZA286044 and ZB643339, respectively) and are the “controllers” for the purposes of data protection laws in relation to any personal information held about you. Herein, both companies will be referred to as ‘DF Capital’.

Our privacy promise

DF Capital wants to be a trusted financial partner and is committed to protecting and respecting your privacy. We will always treat your information as confidential, even when you are no longer a customer.

How the law protects you?

As well as our Privacy Promise, your privacy is protected by law. Under Data Protection Laws we can only process your personal information where we have a proper reason for doing so. This includes sharing it outside the Group. The law says we must have one or more of these reasons:

  • we are required to do so by law i.e. a legal obligation
  • you have granted us consent to process your personal information
  • you have entered or you are considering entering into a contract with us for a financial product or service
  • it is in our own legitimate interests to do so

A legitimate interest is when we have a business or commercial reason to use your information for example to prevent abuse and loss, to strengthen IT and payment security or for marketing purposes. But even then, it must not unfairly go against what is right and best for you.

What personal data do we collect?

Depending on the product and services you have requested or you are interested in, we collect and process different kinds of personal data, including:

  • basic personal information, including name and address, date of birth and contact details
  • documentary data, e.g. details about you that are stored in documents in different formats, or copies of them. this could include things like your passport, driver’s license, or birth certificate
  • financial information, e.g. your financial position, status and history
  • socio-demographic information, e.g. details about your work or profession, nationality, and where you fit into general social or income groupings
  • transactional information, e.g. details about payments to and from your accounts with us
  • social relationships, e.g. information about your family, friends and other relationships
  • contractual information, e.g. details about the products and services we provide to you and your preferences towards them
  • communications, e.g. what we learn about you from letters, emails, and conversations between us

There may be times when the information we hold about you includes sensitive personal data, such as information relating to racial or ethnic background or your health and vulnerability status. We will only hold this data when we need to for the purposes of the product or services we provide or where we are legally required to do so. We will always seek your explicit consent to process sensitive personal data

Letting us know if your personal information is incorrect

We want our service to always meet your expectations and therefore need the information we hold about you to be accurate and up to date. Please help us by telling us straightaway if there are any changes to your personal information. It is important that you tell us about any changes to your contact details, including your email address or mobile number.

Where do we collect your information from?

We hold personal and financial information about you (or your business) which you have provided to us or which we have collected/received from elsewhere such as:

  • information you give us on application forms
  • information we get from how you use your facilities
  • details of who supplies goods and services to you
  • when you use our website, including secure messages online
  • information from other organisations, such as credit reference, fraud prevention agencies, data aggregators, comparison websites
  • government and law enforcement agencies
  • information that we gather from publicly available sources, such as the press, social networks, the electoral register, Company House and online search engines
  • when you talk to us on the phone
  • when you use our websites or mobile device apps
  • in emails and letters
  • in customer surveys
  • if you take part in a competition or promotions
  • information from people or businesses you are financially linked to
  • information that other people give us such as your advisors, brokers, introducers or agents working on our behalf
  • information we get from analysing your financial situation and transaction history, such as Open Banking data providers to whom you’ve given your express consent to share your data

Why do we collect your information?

DF Capital stores and uses your information to manage your facilities and to provide services that suit your needs. This includes making payments, loan advances, customer services, customer administration, credit assessment and marketing as well as compliance with statutory obligations. Additionally, we may need to use your data for several other reasons including the following:

Assessing the suitability of products or services

We will use your information to assess whether our products and services are suitable for you or for a business you are financially linked to, including making credit decisions. This may involve credit scoring and regular statistical analysis to produce management information relating to risk. We may look at your information when deciding whether to approve an application for credit by a person you are linked to, including when that person applies on behalf of a business. We may also link your information to the information relating to other people you are financially linked to, if you make a joint application or if you tell us that you have a husband, wife, civil partner or partner. You should make sure you have shared the relevant information from this notice with them.

Verifying your identity and using Credit Reference Agencies

If you apply for a new product or service from us, we may perform credit and identity checks on you and certain individuals connected to you or your business with one or more credit reference agencies (“CRAs”), data aggregators or digital identification screening providers. We may also make periodic searches with these third parties to manage your account and maintain up to date records.

To do this, we will supply your personal information to the CRAs and digital identification screening providers, and they will give us information about you. This may include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether you can afford to take a product
  • Verify the accuracy of the information you have provided to us
  • Confirm identities
  • Prevent criminal activity, fraud and money laundering
  • Manage your account(s)
  • Trace and recover debts
  • Ensure any offers provided to you are appropriate to your circumstances

We may continue to exchange information about you with CRAs while you have a relationship with us. We may also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other organisations. The type of footprint left is dependent upon the search that is conducted.

If you are making a joint application, or tell us that you have a spouse or financial associate, we may link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application.

We need to confirm your identity before we provide products or services to you or your business.

Once you have become a customer of ours, we will also share your personal information as needed to help detect fraud and money-laundering risks. We use CRAs to help us with this.

We or a CRA (in their fraud prevention role) may allow law enforcement agencies to access your personal information. This is to support their duty to detect, investigate, prevent and prosecute crime.

CRAs can keep personal information for different lengths of time. For example, they can keep your information for up to six years if they find a risk of fraud or money-laundering.

We and CRAs may process your personal information in systems that look for fraud by studying patterns in the data. We may find that an account is being used in ways that fraudsters work. Or we may notice that an account is being used in a way that is unusual for you or your business. Either of these could indicate a possible risk of fraud or money-laundering.

If we or a CRA decide there is a risk of fraud, we may stop activity on the accounts or block access to them. CRAs will also keep a record of the risk that you or your business may pose.

This may result in other organisations refusing to provide you with products or services, or to employ you.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at www.experian.co.uk/crain.

Fraud prevention agencies

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering.

If you provide false or inaccurate information and we find that you have committed fraud, you could be refused certain services, finance, or employment and details we will pass your details to fraud prevention agencies. Law enforcement agencies may also access and use this information.

Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by www.cifas.org.uk/fpn.

Protecting you

We may record or monitor phone calls for security and compliance purposes. We may also collect information associated to your wellbeing of status as a vulnerable individual, to enable us to adjust our product or service offering accordingly. We will always seek your consent before recording this data.

Research purposes

We may also use your information for research purposes which may include profiling to understand your buying preferences. Using your personal information in this way allows us to develop, improve and market our products and services to meet your legitimate interests.

Sharing your information

We do not sell or trade your information to third party organisations. There are circumstances where we need to provide information to other people who assist us in conducting our business or servicing you or your business or in identifying potential financial crime or where we are under a legal or regulatory obligation to do so. For these reasons we may share your personal information with, for example:

  • Credit reference agencies
  • Identity verification agencies
  • Fraud prevention agencies
  • Asset registration services
  • Data aggregators
  • HM Revenue & Customs, regulators and other statutory bodies and authorities
  • UK Financial Services Compensation Scheme and the Financial Ombudsman Service
  • Our regulators and certain statutory bodies as required by law
  • Any trustees, beneficiaries, administrators or executors associated with your account
  • Someone you nominate or authorise to act on your behalf
  • People who give guarantees or other security for any amounts you owe us
  • Companies we have a joint venture or agreement to co-operate with
  • Our professional advisors and auditors
  • Organisations that introduce you to us
  • Companies that we introduce you to
  • Independent market researcher organisations
  • Your financial advisors or agents working on our behalf
  • Price comparison websites and similar companies that offer ways to research and apply for financial products and services
  • People you ask us to share your information with
  • Direct Debit scheme, if you use direct debits
  • Other lenders who also hold a charge on the asset, if you have a secured loan with us
  • Other companies in the Group to assess credit risk or to help us run your facilities. We may also share your information within the Group to prepare research and analyse statistics (including analysing risk and credit) so that we can improve our services.

We will sometimes arrange for service providers, agents and subcontractors, including those from outside the European Economic Area (EEA), to provide services and process your information on our behalf. We will make sure that these service providers, agents and subcontractors have a duty to keep your information confidential and secure, and that they only process your information as set out in a written contract. Where we use third parties from outside the EEA, we will ensure that your rights under Data Protection Laws are safeguarded through the appropriate protections.

To meet our duties to regulators, we may allow authorised people to see our records (which may include information about you) for reporting, compliance and auditing purposes. For the same reason, we will also hold the information about you when you are no longer a customer.

We may also share your personal information with other organisations if we sell, transfer, or merge parts of our business or our assets, or if we seek to acquire other businesses or merge with them. If any such change to our business happens, these other parties may then use your information in the same way as set out in this Privacy Notice.

Any parties we share your information with agree to keep all information supplied secure and protected from unauthorised access.

How long do we keep your information?

We will only keep your personal information for as long as is necessary to administer any relationships that you hold with us. This means that we may hold your personal information after your relationship with us ends for up to seven years.

We may do this for the following reasons:

  • to respond to any questions or complaints
  • to show that we treated you fairly
  • to maintain records according to regulatory and statutory rules that apply to us
  • To allow us to preserve, defend or enforce any relevant legal rights we may have

We may keep your data for longer than seven years if we cannot delete it for legal or regulatory reasons. If we do, we will make sure that your privacy is protected and only use it for those purposes.

Your privacy rights

You have several rights under the Data Protection Laws in relation to the way we process your personal data, which are set out below. We will aim to respond to any request received from you in relation to exercising your rights within 30 days from your request, although this may be extended in some circumstances in line with Data Protection Laws.

  • Access – You have the right to access the information that we are processing about you and to be told where the information comes from and what we use it for. You also have the right to be informed about how long we store your information and about those with whom we share your information. Your right of access may, however, be restricted by law, the need to protect another individual’s privacy or consideration for the DF Capital commercial business strategies and operations. You must write to us if you want to see this information. Access to your data will usually be provided free of charge, although in certain circumstances we may make a small charge where we are entitled to do so under Data Protection Laws.
  • Rectification – You have a right to rectification of inaccurate personal information and to update incomplete personal information.
  • Restriction – You have a right to request us to restrict the processing of your personal information. You may request us to restrict processing your personal information if you believe that:
    • any of the information that we hold about you is inaccurate;
    • we no longer need to process your information for the purposes for which it was provided; or
    • we are not using your information in a lawful manner
  • Erasure – You have a right to request that we delete your personal information. You may request that we delete your personal information if you believe that:
    • we no longer need to process your information for the purposes for which it was provided;
    • we have requested your permission to process your personal information and you wish to withdraw your consent; or
    • we are not using your information in a lawful manner.
  • Objection – You have a right to object to the processing of your personal information, unless we can demonstrate compelling and legitimate grounds for the processing, which may override your own interests.
  • Portability – You have a right to receive the personal information you provided to us in a portable format. You may also request us to provide it directly to a third party, if technically feasible.

Rights with respect to personal data are bound by the legitimate need for DF Capital to process data for statuary, regulatory and contractual purposes. Thus, certain of the above rights will be limited e.g. we’re required by law to retain some of your data for a particular period.

If you wish to exercise any of these rights or if you have any queries about how we use your personal information that are not answered here, you can contact our Data Protection Office at the address at the end of the Privacy Notice.

Profiling and automated decision making

DF Capital may use automated decision making, including profiling, to approve applications for loans or credit, to prevent fraud and, in the case of profiling, to be able to offer you specific services and products that meet your preferences and to target our marketing in general. You have the right not to be subject to automated decision making (including profiling), where it affects your legal rights or has an adverse impact on you, for example, the refusal of an online credit application. If you have given us your consent to process your data and the processing is automated, you have the right to get your personal information from us in an electronic format that can easily be reused. You can also ask us to pass your information in this format to other organisations. If you wish to exercise any of these rights, please write to our Data Protection Officer at the address at the end of this notice.

Customer experience

We are keen to keep you up to date with changes to the service we provide or interruptions to our service, or also to remind you to activate and use the online services for which you have registered. If you have given us your email address or mobile number, we may use these to send you messages. If you do not want us to contact you by text message or email, please contact us and we will delete these details from our records.

Marketing

Through our marketing programme, we may identify and tell you about products and services supplied by us that we consider may be of interest to you. We may do this by phone, mail, email, text or through other digital media where you have given us your consent to being marketed by these methods. You can decide how much direct marketing you want to accept. You can contact us at any time if you do not want to receive marketing information. Whatever you choose, you will still receive statements, and other important information such as changes to your existing products and services.

How to withdraw your consent?

Once you have given us your consent you can withdraw it at any time, unless there is another legal reason under the Data Protection Laws that allows us to process your information. Please note that if you withdraw your consent, we might not be able to provide you our products or services. If this is so, we will tell you. You can withdraw your consent at any time by getting in touch with us at data.protection@dfcapital.bank or using the contact details at the end of this notice. The withdrawal of your consent will be processed as soon as possible.

Cookies and tracking pixels

Cookies are small files that a website or its service provider transfers to your computer’s hard drive through your web browser (if you allow) that enables the sites or service providers’ systems to recognise your browser and capture and remember certain information. We use cookies to compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

Tracking pixels are a similar technology to cookies, but they are embedded within an email rather than on a website. We may use tracking pixels to monitor whether a recipient has opened an email we have sent them. We will request that you opt-in to our use of pixels or optional cookies. You can find out about cookies and how we use them in our cookie policy here.

How to complain

If you are unhappy with how we have handled your personal information, you can contact our Data Protection Office at the address at the end of this notice.
You also have the right to complain to the Information Commissioner’s Office. You can call their helpline on 0303 123 1113, or you can visit their website (www.ico.org.uk) for information on how to make a data protection complaint.

Data Protection Officer

We have appointed a Data Protection Officer to advise us about our data protection obligations and to monitor compliance. You can contact the Data Protection Officer by writing to the Data Protection Officer, DF Capital, St James’ Building, 61-95 Oxford Street, Manchester M1 6EJ or by emailing us at data.protection@dfcapital.bank.

Previous versions of our Privacy Notice

February 2024 – in use until 29 February 2024