Privacy Policy

1 Introduction

Welcome to UpShift Finance. We respect your privacy and are committed to protecting your personal data. As a lender, we handle sensitive financial information. This Privacy Policy explains how we collect, use, share, and protect your personal data when you apply for a business loan, visit our website, or use our services.
‍
We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable Financial Conduct Authority (FCA) regulations.
‍
The data controller is UpShift Finance Ltd, company number 16836327. However, if funding is provided by a specific investment vehicle or partner entity, that entity may also act as a data

2 Contact Details

If you have any questions about this privacy policy, specifically regarding how we handle your data, you can contact us in the following ways:
‍
• Email: inbox@upshiftfinance.co.uk
‍
• Postal Address: 201 Haverstock Hill, Second Floor C/O Fkgb, London, England, NW34QG, UK
‍
• Telephone: +44 7908 706602
‍
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to address your concerns before you approach the ICO, so please contact us in the first instance.

3 The Data We Collect

3.1 Data You Provide

We collect personal data about sole traders, partners, and company directors/shareholders of the businesses applying for finance. This includes:
‍
• Identity Data: First name, last name, date of birth, marital status, passport or driving licence details (for KYC/AML checks).
‍
• Contact Data: Residential address, email address, and telephone numbers.

• Financial Data: Personal and business bank account details, bank statements, transac- tion history, credit scores, and tax information.

• Open Banking Data: If you connect your bank account via Open Banking (AIS), we collect read-only transaction data to assess affordability.
‍
• Technical & Usage Data: IP address, browser type, device information, and how you use our website (for fraud prevention).

3.2 Data We Collect from Third Parties

We may receive personal data about you from third parties under the following circumstances:
‍
• Credit Reference Agencies (CRAs): If you are the borrower or guarantor, we receive information about your financial standing (credit score, repayment history) and address history.
‍
• Fraud Prevention Agencies: We receive information on fraudulent activity reported by other financial institutions.
‍
• Guarantors/Directors: If you are an additional guarantor, director, or beneficial owner, your details (name, date of birth, contact details) may be provided to us by the main applicant.
‍
• Brokers/Partners: If your application was referred to us by a broker or partner, they will provide us with the information required to make a decision.
‍
• Financial Associates: If you are financially associated with a borrower (e.g., via a joint bank account), we may receive information about your financial standing from CRAs.

4 How We Use Your Data (Legal Basis)

We rely on specific legal bases to process your data.
‍
What do we mean by ‘Legitimate Interests’ ? There are some processing activities which do not fall within other lawful bases (e.g., it is not a legal obligation or contractual requirement) but are still necessary for a legitimate purpose that we are trying to achieve (such as fraud prevention or marketing). We only rely on this lawful basis if it is necessary to achieve a particular purpose and if we have balanced our interests against yours.

The following table describes how we use your personal data:

Purpose

Legal Basis

Assessing your loan application (Underwriting)

Performance of a Contract: We cannot assess your eligibility or offer a loan without processing this data.

Identity Verification & Anti-Money Laundering (AML)

Legal Obligation: We are required by law (Proceeds of Crime Act 2002) to verify your identity.

Credit Checks & Fraud Prevention

Legitimate Interest: To prevent fraud, ensure responsible lending, and protect our business assets.

Debt Collection & Recovery

Legitimate Interest & Contract: To re-cover funds owed to us under the loan agree-ment.

Reporting to Credit Reference Agen-cies (CRAs)

Legitimate Interest: To maintain the integrity of the UK financial ecosystem andresponsible lending practices.

Marketing our products and services

Legitimate Interest: Direct marketingof our products and services (you can opt-out).

Call recordings and audio transcrip-tions

Legitimate Interest: To respond to com-plaints and for staff training purposes.

5 Credit Reference Agencies (CRAs)

In order to process your application, we will perform credit and identity checks on you and your business partners with one or more Credit Reference Agencies (CRAs), including TransUnion, Equifax, and Experian.
‍
To do this, we supply your personal information to CRAs and they will give us information about you. This includes information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation, and financial history information and fraud prevention information.
‍
Principles of Reciprocity: We will continue to exchange information about you with CRAs while you have a relationship with us. We will inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organizations by CRAs (leaving a "search footprint" on your credit file).
‍
The identities of the CRAs, their role as fraud prevention agencies, and their data protection notices (CRAIN) are available here:
‍
• TransUnion: www.transunion.co.uk/crain
‍
• Equifax: www.equifax.co.uk/crain

• Experian: www.experian.co.uk/crain

6 Fraud Prevention Agencies (FPAs)

Before we provide financing, we undertake checks for the purposes of preventing fraud and money laundering. We and fraud prevention agencies may also enable enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.
‍
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. Further details of how your information will be used by prevention agencies, and your data protection rights, can be found by www.cifas.org.uk/fpn.

7 Automated Decision Making (ADM)

We use automated systems to make credit decisions about you. This involves using technology to assess your creditworthiness and affordability without human intervention.

• Logic Involved: Our system analyzes your credit score, application data, and banking history to calculate a risk score.
‍
• Consequences: This may result in an automated decline of your loan application or the determination of your interest rate.
‍
• Your Rights: Under the UK GDPR, you have the right to request human intervention. If your application is declined automatically, you may contact us to request a manual review or challenge the decision.

8 Data Sharing

We may share your personal data with various parties, including but not limited to the following:
‍
• Service Providers: IT and system administration services, payment processors, and Open Banking providers.
‍
• Debt Collection Agencies: If you fail to repay your loan, we instruct third parties (debt collectors, lawyers, tracing agents) to recover the debt.
‍
• Investors/Funders: We may share anonymized or pseudonymized portfolio data with institutional investors who fund the loans we originate.
‍
• Brokers/Affiliates: If you were introduced to us via a partner or broker, we may report your application outcome and loan status back to them.
‍
• Professional Advisers: Lawyers, bankers, auditors, and insurers.
‍
• Regulators: HM Revenue & Customs (HMRC), the FCA, and the ICO.

9 International Transfers

Whenever we transfer your personal data out of the UK or the European Economic Area (EEA), we ensure a similar degree of protection is afforded to it by using specific contracts approved for use in the UK which give personal data the same protection it has in the UK (e.g., the UK International Data Transfer Agreement or standard contractual clauses).

10 Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.
‍
• Loans: We retain data for 6 years after the end of our relationship with you (Limitation Act 1980).
‍
• Declined Applications: We retain data for 12 months to handle queries and prevent fraud.

11 Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include:
‍
• The right to be informed: You have the right to be told how we use your data (this Policy).
‍
• The right of access: You can ask for a copy of the personal data we hold about you.
‍
• The right to rectification: You can ask us to correct data that is wrong.

• The right to erasure: You can ask us to delete your data (note: as a lender, we of-ten cannot delete data if you have an active loan or outstanding debt due to legal/AMLrequirements).
‍
• The right to object: You can object to the processing of your data (e.g., for marketing).
‍
• The right to restrict processing: You can ask us to limit how we use your data.

• The right to data portability: You can ask us to transfer your data to another organi-zation.If you wish to exercise any of the rights set out above, please contact us at inbox@upshiftfinance.co.uk.