Data & privacy

36 articles in this topic.

Are your phone calls recorded?

Calls to and from Credicorp Limited are recorded. We do this for staff training, to monitor and improve service quality, and to keep an accurate record of what was discussed and agreed.

Keeping a recording protects you as well as us: if there is ever a question about what was said — for example, an arrangement we agreed or instructions you gave — the recording is an impartial record we can both rely on.

Our Audio Recording page explains the practice in full, and our Privacy Policy sets out how recordings are stored, who can access them and how long they are kept. Recording also supports the checks we run when we verify it is really you on the phone. For guidance on how we contact customers, see how Credicorp will and won't contact you.

See also: Can I get my data in a portable format?, Can I object to how you use my data?, Can I restrict how you process my data?.

Can I ask Credicorp to delete my business's data?

UK GDPR gives individuals a right to erasure — sometimes called the right to be forgotten. You can ask Credicorp to delete personal data we hold about you, and we will act on that request where we are legally able to do so.

When we can delete data

  • Where the data is no longer necessary for the purpose for which it was collected
  • Where you withdraw consent and there is no other lawful basis for processing
  • Where you object to processing based on legitimate interests and those interests do not override yours
  • Where data was processed unlawfully

When we must retain data despite a request

We are not able to erase records where retention is required by law. This includes:

  • AML and KYB records under the Money Laundering Regulations (typically five years from the end of the relationship)
  • Financial records needed to comply with HMRC requirements or the Limitation Act 1980
  • Records necessary to establish, exercise, or defend a legal claim

In these cases we will tell you which data we cannot delete and why, and what we can delete in the meantime.

How to submit an erasure request

Email data@credicorp.co.uk with the subject line "Erasure Request", your full name, the company name and number, and the specific data or categories of data you want deleted. We will respond within one calendar month.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: How to request a copy of your business data, How long Credicorp keeps your business data.

Can I get my data in a portable format?

Data portability is the right to receive personal data you provided to us in a structured, commonly used and machine-readable format, and to have it sent to another organisation where this is technically feasible. It is narrower than a subject access request and only applies in particular circumstances.

When it applies

  • The data was provided by you, rather than data we created or inferred.
  • We process it based on your consent or on a contract.
  • The processing is carried out by automated means.

What it does not cover

Portability does not apply to data we process under a legal obligation, such as anti-money-laundering records, or to information we generated about you, such as internal assessments. For a full copy of what we hold, a subject access request is the right route.

How to ask

Contact our data protection team and say you want to exercise data portability. We will provide the qualifying data in a reusable format and, where you ask and it is feasible, transmit it directly to another organisation.

Cost and timing

This is normally free, and we aim to respond within one month. If a request is especially complex, we may extend the period and will tell you if so.

See also: Can I restrict how you process my data?, How do I request a copy of my data? and How do I get a copy of my data?.

Can I object to how you use my data?

You have a right to object to certain processing of your personal data. How strong the right is depends on why we are using the data, so it helps to know which uses you can stop completely and which you can challenge.

Marketing: an absolute right

You can object to direct marketing at any time, and we must stop. There is no balancing test for this; once you opt out, we will not send you marketing, although we may still contact you about a live facility for service reasons.

Other processing: a qualified right

Where we rely on legitimate interests, you can object on grounds relating to your particular situation. We will stop unless we can show compelling legitimate grounds that override your interests, or we need the data to establish or defend legal claims.

Where the right does not apply

  • Processing we must do to meet a legal obligation, such as anti-money-laundering checks.
  • Processing necessary to perform the contract for your company's facility.

How to object

Contact our data protection team and tell us what you want to stop and, for legitimate-interests objections, why. We will review and respond within one month, explaining the outcome. If you disagree, you can complain to the Information Commissioner's Office. Our privacy policy sets out how we handle your data in full.

See also: How do I request a copy of my data?, Can I restrict how you process my data? and How do I complain about how you handled my data?.

Can I restrict how you process my data?

The right to restriction lets you ask us to limit how we use your personal data in specific circumstances. When processing is restricted, we can usually still store the data but not otherwise use it, except in limited cases.

When you can ask for restriction

  • You have contested the accuracy of data, while we check it.
  • The processing is unlawful but you prefer restriction to erasure.
  • We no longer need the data, but you need us to keep it for a legal claim.
  • You have objected to processing, while we consider your objection.

What restriction means

While a restriction is in place, we will generally only store the data. We may still process it with your consent, for a legal claim, to protect someone else's rights, or for important public-interest reasons. We will tell you before lifting any restriction.

How to ask

Contact our data protection team, explain which data and why you want it restricted. We will confirm whether the right applies and what we have done. Where we have shared the data, we will tell relevant third parties about the restriction where possible.

If we cannot restrict

Some data must keep being processed to meet legal obligations. If so, we will explain why and what alternatives may help.

See also: Can I get my data in a portable format?, Can I object to how you use my data? and Making a complaint: your options and our process.

Do you make automated decisions about my application?

To make applications quicker and more consistent, we use automated processing at certain points, for example to run identity, fraud and credit checks and to help assess risk. UK data protection law gives you specific protections where decisions are made by automated means and have a significant effect.

Your protections

  • The right to be told when significant automated decision-making is used.
  • The right to request human involvement in the decision.
  • The right to express your point of view and to contest the outcome.

How we apply this

Where an outcome could significantly affect your company, we make sure a person is able to review it rather than leaving it entirely to a machine. Automation supports our team; it does not replace accountability for the result.

If you want a review

Contact our data protection or lending team and ask for the decision to be looked at again by a person. It helps to tell us anything you think was missed or got wrong. We will explain the main factors behind the outcome where we can, without disclosing confidential fraud-prevention methods.

A note on scope

Because Credicorp is an exempt business lender, the Financial Ombudsman Service does not apply, but your right to a human review of significant automated decisions still does.

See also: What happens if your application is declined, Can I restrict how you process my data?, Can I object to how you use my data?.

Do you transfer my data outside the UK?

Most personal data we hold is processed within the UK. In some cases, a service provider we use may process data outside the UK, for example where a technology partner operates from another country. When that happens, UK data protection law requires appropriate safeguards.

How transfers are protected

We only allow a transfer outside the UK where one of the recognised protections applies, so your data keeps an essentially equivalent level of protection. These include:

  • Adequacy, where the destination country is recognised by the UK as providing adequate protection.
  • Contractual safeguards such as the UK International Data Transfer Agreement or the Addendum to standard contractual clauses.
  • Additional measures where needed, such as encryption and access controls.

Why a transfer might happen

Transfers are usually about infrastructure, such as where a hosting or support service is located, rather than about sharing data for new purposes. The reason for processing does not change just because a provider operates abroad.

Finding out more

Our privacy notice explains our approach to international transfers. If you want to know whether your data is processed outside the UK and what safeguards apply, our data protection team can tell you.

See also: How do I complain about how you handled my data?, How do I complain about how my data is handled? and How do I request a copy of my data?.

Glossary: what does special category data mean?

Special category data is personal data that UK GDPR treats as more sensitive and protects more strictly. Using it requires not only a lawful basis but also an additional condition under the law.

What it covers

  • Racial or ethnic origin.
  • Political opinions, religious or philosophical beliefs.
  • Trade union membership.
  • Genetic and biometric data used to identify someone.
  • Health data, and data about sex life or sexual orientation.

Why it gets extra protection

Misuse of this kind of data can cause greater harm, so the law sets a higher bar. Organisations must identify a specific extra condition before processing it, and apply stronger safeguards.

Does Credicorp process it?

As a business lender to companies, we do not normally need special category data, and we avoid collecting it. In rare cases it might arise, for example if you choose to tell us about a health-related circumstance affecting the business. Where that happens, we handle it under the stricter rules and keep it to a minimum. Note that data about criminal offences is handled under separate rules, not as special category data.

See also: Glossary: what is a data controller?, What are my rights under UK GDPR? and Arrears (glossary).

Glossary: what is a data controller?

A data controller is the organisation that decides why and how personal data is processed. Under UK GDPR, the controller carries the main legal responsibility for handling data lawfully, fairly and securely.

How it differs from a processor

A data processor acts on a controller's instructions and only does what the controller tells it to do with the data. A processor cannot decide to use the data for its own purposes. For example, a technology provider that hosts our systems under contract is typically a processor, while we remain the controller.

Why it matters to you

  • The controller is who you contact to exercise your data rights.
  • The controller is accountable if something goes wrong.
  • The controller chooses the lawful basis for each use of data.

In Credicorp's case

Credicorp is the data controller for the personal data we hold about the directors and contacts of a borrowing company. We are registered with the Information Commissioner's Office. Our privacy notice explains, as controller, how we use your data and how to reach us.

See also: Who is the data controller for my information?, Glossary: what does special category data mean?, What are my rights under UK GDPR?.

How do I ask you to delete my data?

You have the right to ask us to delete the personal information we hold about you — often called the right to erasure or the "right to be forgotten" under the UK GDPR. We honour it. But erasure is not absolute: some records we are legally required to keep for a set period, and this article explains, honestly, what can and cannot be erased and when.

How to make the request

Use the General Support Enquiry form and tell us you are making an erasure request, or contact our privacy team directly. We will verify your identity first — this protects you from someone else asking us to delete or expose your records — and then act on the request within the statutory time limit.

What we can delete

Where we are holding data only because you consented, or for a purpose that no longer applies, we will erase it on request. Common examples include marketing-contact data and information tied to an enquiry that did not lead to a loan. If you simply want marketing to stop, you do not need a full erasure request — you can withdraw consent per channel in your preferences.

What we usually cannot delete straight away

  • A live loan. While an agreement is active we have to keep the records needed to administer it and to meet our legal and regulatory obligations.
  • Loan and repayment history. After the agreement ends, lending and repayment records — including data shared with business credit reference agencies — are retained for a defined period so other lenders see an accurate picture. See how long we keep your records for the timescales.
  • Anti-money-laundering and identity records. The law requires us to keep these for a set period after our relationship ends.

When a record falls under one of these exceptions, we will tell you which exception applies and when the data will become eligible for deletion, rather than simply refusing.

Your other data rights

Erasure is one of several rights. You can also ask for a copy of your data through a subject access request, ask us to correct anything inaccurate, and object to certain uses. Our Privacy Policy sets out the full list and how we handle each one.

A note on credit reference data

We cannot unilaterally erase records held by a business credit reference agency about your company; those are governed by the agency's own retention rules. What we can do is correct anything we have reported inaccurately and ask the agency to update it — see what we share with business credit reference agencies.

See also: Are your phone calls recorded?, Can I get my data in a portable format?, Can I object to how you use my data?.

How do I complain about how you handled my data?

If you think we have not handled your personal data properly, you can raise a concern and we will look into it. We would rather hear from you and put things right than have a problem go unaddressed.

Step one: tell us

Contact our data protection team through the help centre or the details in our privacy notice. It helps to explain what happened, which data is involved and what you would like us to do. We will investigate and respond, usually within one month.

Step two: the regulator

If you remain unhappy, or you would prefer to go straight there, you can complain to the Information Commissioner's Office, the UK's independent data protection regulator. You can find their contact details and complaint process on the ICO website.

An important distinction

Because Credicorp is an exempt business lender, the Financial Ombudsman Service does not handle complaints about us, and FSCS protection does not apply. That is about the lending regime, not data protection. For data concerns specifically, the ICO is the relevant body and your data rights are the same as with any UK organisation.

Your other rights are unaffected

Making a complaint does not stop you using your other rights, such as access or rectification, at the same time.

See also: How do I complain about how my data is handled?, Can I object to how you use my data? and Do you transfer my data outside the UK?.

How do I correct inaccurate information you hold?

You have the right to have inaccurate personal data corrected and incomplete data completed. This is called the right to rectification. Keeping data accurate is also our own obligation, so we welcome corrections.

How to ask

Contact our data protection team through the help centre or the details in our privacy notice. Tell us which information is wrong and, where you can, what it should say. It helps if you can point us to the specific record, such as a contact detail or a name spelling.

What we do next

  • We check the data and correct it where it is clearly wrong.
  • If the accuracy is disputed, we may restrict processing while we investigate.
  • Where we have shared the data with a third party, we will tell them about the correction where reasonably possible.

Things to keep in mind

Some records are factual statements of what happened, such as a note of a past conversation. We can correct genuine errors, but we cannot rewrite an accurate historical record simply because you would prefer it said something else. If we disagree on accuracy, we will explain why and you can add your own statement to the record.

Time to respond

We aim to respond within one month. Straightforward corrections are usually much quicker.

See also: How do I get a copy of my data?, How do I request a copy of my data? and How do I ask you to delete my data?.

How do I make a data subject access request?

You have the right to ask for a copy of the personal information we hold about you — known as a subject access request.

To make one, contact our privacy team or use the General Support Enquiry form, telling us it is a data subject access request. We will verify your identity and respond within the statutory time limit. The 'Your rights' section of our Privacy Policy explains the process and the other rights you have over your data.

See also: How do I get a copy of my data?, How do I request a copy of my data? and How do I correct inaccurate information you hold?.

How do I manage my marketing preferences with Credicorp?

Credicorp may send your company updates about products, rate changes, and relevant content by email and through the portal. You are in control of whether you receive these communications and can update your preferences at any time.

How to update your preferences

  • In the portal: Go to Settings → Notifications → Marketing. You can toggle email and in-portal marketing on or off independently.
  • By email: Every marketing email we send includes an unsubscribe link. Clicking it removes the recipient address from marketing lists within a short processing period.
  • By contacting us: Email data@credicorp.co.uk or message your account manager and we will update your preferences manually, confirming when it has been done.

What opting out does and does not affect

Opting out of marketing does not stop us sending service communications — messages about your account, repayment schedules, limit changes, or anything else directly related to the running of your facility. These are not marketing and we are required to send them regardless of your marketing preference.

Multiple contacts at the same company

Marketing preferences are held per email address, not per company. If several directors or employees are listed on your account, each person can manage their own preferences independently. Opting out one contact does not automatically opt out others at the same company.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: What data Credicorp collects from your business, How to request a copy of your business data.

How do I opt out of marketing messages?

You have an absolute right to stop direct marketing, and we will respect that as soon as we can action it. Marketing means messages promoting our products or offers, such as updates about Credicorp Flex or Credicorp Slice features.

Ways to opt out

  • Use the unsubscribe link in any marketing email.
  • Update your contact preferences in the portal, where available.
  • Tell our team directly through the help centre.

What still counts as a service message

Opting out of marketing does not stop essential messages about a live facility, such as statements, payment reminders, security notices and changes to terms. These are part of running your company's account, not marketing, so we will still send them.

How quickly it takes effect

We action opt-outs promptly. Email unsubscribes are usually immediate, though a message already in transit may still arrive. If you keep receiving marketing after opting out, let us know so we can fix it.

Choosing channels

You can often opt out of some channels and keep others, for example stopping marketing emails while keeping important service alerts. Our preferences settings let you tailor this, and you can change your mind at any time.

See also: How long a decision takes, What if the supplier invoice changes after I take a Slice? and Can I object to how you use my data?.

How do I request a copy of the data Credicorp holds about my business?

Under UK GDPR, individuals have the right to request a copy of the personal data an organisation holds about them. As a business lender, the data we process relates to the company and to the individuals connected with it — such as directors and authorised portal users. Here is how to exercise that right.

Who can make a request

  • Any director or beneficial owner whose personal data we hold in connection with a company facility
  • Any authorised portal user whose contact details or activity logs we hold
  • A legal representative acting with written authority from one of the above

The company itself does not hold individual data-subject rights, but company records such as transaction history, credit assessments, and agreements can be requested through your account portal or by contacting your account manager.

How to submit a request

  1. Email data@credicorp.co.uk with the subject line "Subject Access Request"
  2. Include your full name, the company name and number, and a description of the data you are seeking
  3. Attach a copy of photo ID so we can verify your identity before releasing any records

What happens next

We will acknowledge your request promptly and aim to respond within one calendar month. Where the request is complex or we receive multiple requests, we may extend this by up to two further months and will notify you if that is necessary. There is no charge for a standard request.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: How to ask Credicorp to delete your business data, How long Credicorp keeps your business data.

How do you keep my data secure?

Keeping personal data secure is both a legal duty and something we take seriously in its own right. We use a combination of technical and organisational measures, designed to protect data against loss, misuse and unauthorised access.

Technical measures

  • Encryption of data in transit and, where appropriate, at rest.
  • Access controls so staff and providers only see what their role requires.
  • Monitoring and logging to detect unusual activity.
  • Regular updates and security testing of our systems.

Organisational measures

  • Staff training on data protection and security.
  • Written contracts requiring our providers to protect data.
  • Internal policies covering how data is handled and shared.

Your part in security

You can help by keeping your portal sign-in details private, using a strong unique password, and being alert to phishing. We will never ask for your full password, and we will not ask you to move money to a so-called safe account. If something looks suspicious, contact us through the help centre rather than replying to the message.

If something goes wrong

If a personal data breach is likely to risk your rights, we will notify the Information Commissioner's Office and, where required, the people affected.

See also: What happens if there is a data breach?, Who is the data controller for my information?, What is our lawful basis for processing your data?.

How do you use cookies and tracking on your website?

Like most websites, ours uses cookies and similar technologies. A cookie is a small file stored on your device that helps a site work and remember your choices. Some cookies are essential; others are only set with your consent.

Types of cookies we use

  • Strictly necessary cookies that make the site and portal work, including security and sign-in. These do not need consent.
  • Functional cookies that remember preferences.
  • Analytics cookies that help us understand how the site is used, set only with your consent.
  • Marketing cookies, where used, also set only with your consent.

How consent works

When you first visit, you are asked about non-essential cookies. Nothing beyond strictly necessary cookies is set until you agree. You can accept, reject, or choose by category.

Changing your mind

You can change your cookie choices at any time through the cookie settings on our site. You can also clear or block cookies in your browser, though some features may not work as well if you block essential ones.

Where to learn more

Our cookie notice lists the cookies we use and their purposes. The personal data collected through cookies is handled in line with our privacy notice.

See also: Can I reduce or close my Flex limit if I no longer need it?, Does a previous decline stay on record when I re-apply? and Can I object to how you use my data?.

How does Credicorp use credit reference agency data when assessing my business?

Commercial credit reference agencies hold records of how UK businesses manage credit and other financial obligations. Credicorp uses this data as part of the underwriting process for Business Loans, Flex facilities, and Slice applications. Here is how that works in practice.

What we search for

  • County Court Judgements (CCJs) registered against the company or its directors
  • Existing credit facilities, outstanding balances, and repayment conduct
  • Adverse public records, including winding-up petitions and insolvency history
  • Trade payment data showing how promptly the company settles supplier invoices

How searches affect your credit file

At the application stage we typically perform a soft search that does not leave a visible footprint on your company's credit file and cannot be seen by other lenders. If you proceed to a formal offer and draw down, we may record a hard search and report the facility to the relevant agency. We will tell you clearly at the point this is about to happen.

Reporting your account conduct

Once a facility is live, we report payment conduct to the credit reference agencies we work with. Consistent, on-time repayments can strengthen your company's commercial credit profile over time. Missed or late payments may be recorded and could affect your company's ability to obtain credit elsewhere.

If you believe data held about your company at a credit reference agency is inaccurate, you should contact that agency directly — they are obliged under UK GDPR to investigate and correct errors.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: What data Credicorp collects from your business, Who Credicorp shares your business data with.

How does Credicorp use Open Banking data from my business account?

If you connect your business bank account via Open Banking during an application, Credicorp receives a read-only feed of your transaction history. We use this to make faster, more accurate credit decisions without requiring you to export and upload months of statements manually.

What we use it for

  • Verifying that the account belongs to the applying company
  • Analysing income patterns, average balances, and outgoing commitments
  • Identifying existing loan or finance repayments that affect affordability
  • Supporting ongoing facility reviews for Flex customers

What we do not use it for

  • We do not sell or license your transaction data to third parties for marketing purposes
  • We do not use Open Banking access to make payments from your account — it is strictly read-only
  • We do not retain live access after the purpose for which you granted consent has been fulfilled

How long we retain the data

Transaction data retrieved via Open Banking is treated in the same way as any other financial record we hold: retained for the duration of your facility and for a period afterwards in line with our standard data-retention schedule. You can request details of the specific retention period applicable to your account by contacting our data team.

You may withdraw Open Banking consent at any time through your bank's app or our portal. Withdrawing consent does not automatically close your facility, but it may affect our ability to offer automatic limit reviews.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: What data Credicorp collects from your business, How long Credicorp keeps your business data.

How is my data used in lending decisions?

When your company applies for a Credicorp Flex or Credicorp Slice facility, we use a range of data to decide whether to lend and on what terms. Because we lend to companies for business purposes, much of the assessment focuses on the business, but it also uses personal data about the people behind it.

What feeds into a decision

  • Information from your application about the company and its trading.
  • Identity and anti-money-laundering verification of directors and signatories.
  • Information from credit reference agencies, as described separately.
  • Fraud-prevention checks.

How the assessment works

We combine these inputs to understand affordability and risk for the business. The terms in any offer, including the rate and term shown to you, reflect that assessment. We do not invent numbers here; the figures that matter are the ones set out in your specific offer.

Automated processing

Some checks are automated to make the process quicker, but where a decision has a significant effect a person is involved. You can ask about the role of automation, request a human review, and contest a decision.

Outside the consumer regime

As an exempt business lender, we sit outside the FCA consumer credit regime, so the Financial Ombudsman Service and FSCS do not apply, but your data protection rights are unaffected.

See also: What personal data do you collect about directors?, How do I complain about how you handled my data?, Glossary: what is a data controller?.

How long do you keep my data after my loan ends?

When your company's Credicorp Flex or Credicorp Slice facility is repaid and closed, we do not automatically erase all related personal data. UK law requires lenders to keep certain records for a defined period, and we balance that against our duty not to hold data longer than necessary.

Why we retain after closure

  • Legal and regulatory record keeping, including anti-money-laundering and accounting obligations.
  • Defending or bringing legal claims within the relevant limitation period.
  • Resolving later disputes or queries about a closed facility.

What happens at the end of a retention period

Once a retention period expires and there is no other lawful reason to keep a record, we securely delete or anonymise it. Anonymised data no longer identifies anyone and may be kept for analysis.

Different data, different periods

Not everything is kept for the same length of time. Marketing preferences, for instance, are handled differently from financial transaction records. Our retention schedule sets out the categories and periods, and our data protection team can confirm what applies to your records.

Your rights still apply

Even after closure you can make a subject access request or ask us to correct inaccurate information for as long as we hold it.

See also: Why can't you always delete my data when I ask?, How long should I keep my statements for audit and Companies House? and How do I ask you to delete my data?.

How long does Credicorp keep my business's data?

Credicorp does not keep your data indefinitely. Retention periods are set by a combination of legal obligation, regulatory expectation, and legitimate business need. This article explains the broad framework.

During an active facility

All data collected at application and during the life of a Business Loan, Flex facility, or Slice arrangement is retained for as long as the facility remains open. This includes transaction records, credit assessments, correspondence, and signed agreements.

After a facility closes

  • Contractual and financial records are typically retained for six years from the date the facility closes, in line with the Limitation Act 1980 and standard UK accounting practice.
  • Anti-money-laundering (AML) and Know Your Business (KYB) records are retained for five years from the end of the business relationship, as required under the Money Laundering Regulations.
  • Unsuccessful applications are kept for a shorter period, generally sufficient to handle any queries or disputes relating to the decision.

After retention periods expire

Once the applicable retention period has passed, data is securely deleted or anonymised so it can no longer be linked to your company or its directors. We do not archive data beyond what is legally or operationally necessary.

If you have a question about the specific retention period for your account or a particular category of data, you can submit a request to our data team and we will respond within the statutory timeframe.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: How to request a copy of your business data, How to ask Credicorp to delete your business data.

How Open Banking consent and revocation work

If you choose to share your business bank statements by Open Banking, it helps to know exactly what you are consenting to, how long it lasts, and how to switch it off. This article covers the consent rules and your right to revoke. For whether to use Open Banking at all, see what Open Banking is and is it safe.

What you are consenting to

Open Banking access is read-only. When you connect, you authorise a regulated Account Information Service Provider (AISP) to let us read the transaction history on the account — up to 12 months back — so we can assess the company's affordability. We never see your online banking password, because you authenticate on your own bank's screen. The connection cannot move money: we do not take a payment from your account without your separate, per-payment authorisation at the time.

Consent expires automatically every 90 days

Under FCA rules, an Open Banking access consent expires automatically after 90 days. If we still need access at that point, you will be asked to re-authorise before the 90 days elapse. If you do not re-authorise, the connection simply lapses and we stop receiving data. This 90-day cycle is built into the framework to keep you in control — access cannot quietly run forever.

How to revoke at any time

You do not have to wait for the 90 days to run out. You can revoke an Open Banking connection at any time, with immediate effect, in either of two places:

  • the Connections panel in your customer portal; or
  • your bank's own app, where connected third parties can be managed and removed.

Once revoked, we stop receiving data straight away.

Revoking does not affect a signed loan

This matters: revoking an Open Banking connection does not affect any loan you have already signed. The agreement continues on the terms you accepted, and your repayments are unchanged. Revocation only stops future data sharing; it is not a way to cancel a loan, and it is never held against you.

The provider is regulated too

The AISP that carries the connection is authorised by the FCA in its own right and is subject to the same data-protection regime as us, following the standards published by the Open Banking Implementation Entity under the Payment Services Regulations 2017. If you would rather not connect at all, you can upload PDF or CSV statements instead — the decision uses the same information. Our Privacy Policy explains how the data is handled once we receive it.

See also: Are your phone calls recorded?, Can I get my data in a portable format?, Can I object to how you use my data?.

Is my business data secure with Credicorp?

Protecting the financial and personal data of the businesses we work with is a core operational responsibility, not an afterthought. Here is a plain overview of the measures we have in place.

Technical controls

  • Encryption in transit: All data exchanged between your browser or app and our servers is encrypted using TLS. We do not support legacy protocol versions.
  • Encryption at rest: Sensitive data stored on our infrastructure is encrypted at the database and file-system level.
  • Access controls: Staff access to production data is role-based and logged. Only staff with a legitimate operational need can view account-level records.
  • Multi-factor authentication: Portal accounts and internal administrative systems require MFA.

Organisational controls

  • Regular internal and third-party security testing, including penetration testing
  • Staff data-protection training and clear acceptable-use policies
  • Vendor due diligence: all third-party processors are vetted and contracted under data-processing agreements
  • An incident-response plan covering containment, notification, and remediation

What to do if you suspect a breach

If you believe your portal account has been compromised — for example, you see unexpected activity or receive login alerts you did not trigger — contact us immediately at security@credicorp.co.uk. We treat all such reports seriously and will act quickly to secure the account.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: Who Credicorp shares your business data with, What data Credicorp collects from your business.

What are my rights under UK GDPR?

UK data protection law gives individuals a set of rights over their personal data. These apply to the people connected to a borrowing company, such as directors and contacts, because that is whose personal data we process. Some rights are absolute and some can be limited where another law applies.

Your main rights

  • Be informed about how your data is used, through our privacy notice.
  • Access a copy of the data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure in certain circumstances.
  • Restriction of processing while a query is resolved.
  • Portability of data you provided, in a reusable format, where it applies.
  • Object to certain processing, including direct marketing.
  • Rights related to automated decisions, explained separately.

Where rights have limits

Some rights do not apply when we must keep data to meet a legal obligation, such as anti-money-laundering records, or to defend a legal claim. In those cases we will explain why a request cannot be fully met.

How to use a right

You can exercise any of these by contacting our data protection team. We will normally respond within one month. If you are unhappy with our handling, you can complain to the Information Commissioner's Office.

See also: Glossary: vulnerability, Glossary: what is a data controller? and A plain-English glossary of business-lending terms.

What data does Credicorp collect from my business?

When you apply for a Business Loan, Credicorp Flex, or Credicorp Slice, we collect the information we need to identify your company, assess its financial health, and manage the ongoing facility. Here is a plain breakdown of what that includes.

Company and identity information

  • Registered company name, number, and registered office address
  • Director names, dates of birth, and contact details
  • Companies House filing data, including confirmation statements and accounts
  • Details of beneficial owners holding more than 25% of the company

Financial and transactional data

  • Business bank account details and, where you consent, Open Banking transaction feeds
  • Management accounts, filed accounts, or accountant-prepared summaries you upload
  • VAT returns and HMRC correspondence you choose to share
  • Invoice or purchase-order data where relevant to a Slice application

Application and communications data

  • Enquiry forms, email threads, and in-portal messages
  • Device and browser data collected when you use our portal (cookies policy applies)
  • Any supporting documents you submit, such as bank statements or contracts

We collect only what is proportionate to the product you are applying for. A Credicorp Slice application, for example, requires less information than a Flex facility, because the risk profile and credit limit differ substantially.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: How Credicorp uses Open Banking data, Who Credicorp shares your business data with.

What does Credicorp share with business credit reference agencies?

We use business credit reference agencies to help assess companies and to report how loans are run. Because some people worry a business application will mark their personal credit file, this article sets out exactly what is shared, with whom, and the difference between a soft and a hard search.

Which agencies

We work with business credit reference agencies — Experian Business, Creditsafe and Equifax Business. They hold commercial credit information about UK companies, separate from the consumer agencies that hold personal files.

Soft search vs hard search

  • Soft search. Eligibility checks and our on-site calculator perform a soft search. A soft search is visible to you and to us, but not to other lenders, and it does not affect any credit score. You can see whether you are likely to qualify without leaving a mark.
  • Hard search. A full application performs a hard search at the point you submit it, after you have explicitly agreed. A hard search leaves a footprint visible to other lenders for a period. Several hard searches in a short space of time can read as financial stress, so it is worth applying only when you intend to proceed.

What we report while the loan runs

Once a loan is live, the company's repayment performance can be reported to the business agencies. Payments made on time build the company's record of good account management; missed payments or arrears may also be reported against the company. After the account is settled and closed, it stays on the company's business file for a period so other business lenders see the full picture — see how long we keep your records.

What is not a personal credit search

The identity and anti-money-laundering check we run on the signing director is a verification step, not a personal credit search. We do not record this loan, or the application, against the director's personal consumer credit file with Experian, Equifax or TransUnion. For the fuller answer, see will applying for a Credicorp loan affect my credit file.

Seeing and correcting the data

A company can request a copy of its own business credit file from any of the business agencies, and you have a statutory right to ask an agency to correct anything inaccurate. If you think we have reported something wrong about the company, raise it through the General Support Enquiry form and we will investigate and, if needed, ask the agency to update the record. Our Privacy Policy explains how we use credit reference data in full.

See also: Are your phone calls recorded?, Can I get my data in a portable format?, Can I object to how you use my data?.

What happens if there is a data breach?

A personal data breach is a security incident that leads to personal data being lost, destroyed, altered, disclosed or accessed without authorisation. We have processes in place to identify, contain and assess any incident quickly.

How we respond

  • Contain the incident and limit any further impact.
  • Investigate what happened, what data was involved and who is affected.
  • Assess the risk to the people whose data is involved.
  • Record the incident, as the law requires, even where no notification is needed.

When we will tell the regulator and you

If a breach is likely to result in a risk to people's rights and freedoms, we will report it to the Information Commissioner's Office, normally within seventy-two hours of becoming aware. If the risk is high, we will also tell the affected individuals without undue delay, so you can take steps to protect yourself.

What you can do

If we notify you, follow the specific advice we give. As a general precaution, be alert to unexpected messages, do not share sign-in details, and contact us through the help centre if you are unsure whether a message is genuine.

Raising a concern

If you believe your data has been compromised, tell us so we can investigate. You can also report concerns to the Information Commissioner's Office.

See also: How do I request a copy of my data?, What happens to my data after I close my account? and Can I object to how you use my data?.

What is our lawful basis for processing your data?

Under UK GDPR, every use of personal data must have a lawful basis. Credicorp does not rely on a single basis for everything; instead we match the basis to the purpose. Knowing which basis applies also affects which rights are available to you.

The bases we rely on

  • Contract where processing is needed to set up or run a facility for your company, such as administering Credicorp Flex or Credicorp Slice.
  • Legal obligation where law requires it, for example anti-money-laundering and identity checks, and record keeping.
  • Legitimate interests where we have a genuine business reason that does not override your rights, such as preventing fraud, securing our systems and managing the relationship.
  • Consent for specific things you opt into, such as certain marketing or open banking access, which you can withdraw at any time.

Why the basis matters

Some rights, such as the right to erasure or to object, depend on the basis being used. For example, data we hold to meet a legal obligation usually cannot be deleted on request until the retention period ends.

Find out more

Our privacy notice sets out, purpose by purpose, which lawful basis applies. If you want to understand the basis behind a particular use, our data protection team can explain it.

See also: What happens if there is a data breach?, Who is the data controller for my information?, How do I complain about how you handled my data?.

What personal data do you collect about directors?

Although Credicorp lends to companies rather than individuals, we do process some personal data about the people connected to a borrowing business. We only collect what we genuinely need to assess, set up and run a facility responsibly.

Categories we typically hold

  • Identity data such as name, date of birth and role within the company, used to verify who we are dealing with.
  • Contact data such as email address, phone number and business address.
  • Verification data gathered during identity and anti-money-laundering checks.
  • Correspondence including messages, call notes and support enquiries.
  • Technical data such as device and log information when you use our online portal.

Where it comes from

Most data comes directly from your application and from the people you authorise to deal with us. Some comes from public sources such as Companies House, and some from the agencies we use for identity and fraud checks.

Why we limit collection

UK data protection law requires us to keep collection proportionate, so we avoid gathering data we do not need. Because the facility is to the company and no personal guarantee is taken, the personal data we hold is focused on identity, contact and the lawful checks we are required to perform. Our full privacy notice lists the categories in detail.

See also: Who is the data controller for my information?, Arrears (glossary) and Do you take a personal guarantee from directors?.

Which third parties do you share my data with?

We do not sell your personal data, and we share it only where there is a clear, lawful reason. The recipients fall into a small number of categories, each tied to running a Credicorp Flex or Credicorp Slice facility properly and meeting our legal duties.

Who we may share with

  • Identity and fraud-check providers who help us verify the people behind a borrowing company.
  • Credit reference agencies, for the purposes set out separately in our credit-reference material.
  • Payment and banking partners who process disbursements and repayments.
  • Technology and hosting providers who operate our systems under contract.
  • Professional advisers such as lawyers and auditors, where needed.
  • Regulators and authorities where the law requires disclosure.

How we control these relationships

Where a third party processes data on our behalf, they act under a written contract that limits how they may use it and requires them to keep it secure. They cannot use your data for their own purposes unless they are a separate controller, such as a regulator acting under law.

Transparency

Our privacy notice describes these categories in more detail. If you want to know whether a specific organisation has received your data, you can ask through a subject access request.

See also: What happens if there is a data breach?, How do I complain about how you handled my data?, Who is the data controller for my information?.

Who does Credicorp share my business data with?

Credicorp does not sell your data. We share it only where there is a specific, legitimate reason to do so. Below is a transparent account of who may receive your company's data and why.

Credit reference and fraud-prevention agencies

We may search and report to commercial credit reference agencies as part of our underwriting process. This helps us assess creditworthiness and contributes to industry-wide fraud prevention. The agencies we work with hold their own privacy notices explaining how they use that data.

Funding and capital partners

Where your facility is funded in part by an institutional partner or where we assign or participate a loan for capital purposes, that partner may receive your application and account data under a confidentiality agreement. This does not affect the terms of your facility or how we service it.

Regulated service providers

  • Identity verification providers — to confirm director identities and satisfy KYB requirements
  • Open Banking providers — to retrieve transaction data with your consent
  • Cloud infrastructure and data-processing suppliers — who process data on our behalf under strict data-processing agreements
  • Legal and professional advisers — where necessary to manage a facility or pursue a debt

Regulators and law enforcement

We may be required by law to share data with HMRC, the FCA, the NCA, or law enforcement agencies. We do not notify you of such disclosures where doing so would be unlawful or would tip off a subject of investigation.

We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.

See also: What data Credicorp collects from your business, Is my business data secure with Credicorp.

Who is the data controller for my information?

When you apply for or hold a Credicorp Flex or Credicorp Slice facility, Credicorp acts as the data controller for the personal data we process about the individuals connected to your company, such as directors, authorised signatories and day-to-day contacts. A data controller is the organisation that decides why and how personal data is used.

What this means in practice

As controller, we are responsible for handling your information lawfully, keeping it accurate and secure, and respecting your rights under UK data protection law. We are registered with the Information Commissioner's Office, the UK's data protection regulator.

  • We decide the purposes for processing, such as assessing an application or servicing a live facility.
  • We are accountable for any third parties we instruct to process data on our behalf.
  • We are the organisation you contact to exercise your data rights.

A note on our lending model

Credicorp lends only to UK limited companies and LLPs for business purposes. The borrower is always the company, and we do not take personal guarantees from directors. We still process some personal data about the people behind a company, which is why data protection law applies.

How to reach us

You can contact our data protection team through the help centre or the contact details in our privacy notice. Because Credicorp sits outside the consumer credit regime, the Financial Ombudsman Service and FSCS do not apply, but data protection rights are the same as for any UK organisation.

See also: What personal data do you collect about directors?, What happens if there is a data breach?, Glossary: what is a data controller?.

Why can't you always delete my data when I ask?

The right to erasure, sometimes called the right to be forgotten, lets you ask us to delete your personal data. It is an important right, but it is not absolute. In a lending context there are several reasons we may not be able to delete everything straight away.

When erasure does not apply

  • Legal obligations. We must keep certain records, such as anti-money-laundering and accounting records, for set periods set by law.
  • Legal claims. We may keep data needed to establish, exercise or defend a legal claim until the relevant period ends.
  • Active facility. While your company's facility is live, we need the data to run it.

What we can still do

Even where we cannot erase a record, we can often help in other ways. We can stop using your data for marketing, correct inaccuracies, restrict certain processing while a query is resolved, and delete anything we no longer have a lawful reason to keep.

What happens later

When a retention period ends and there is no other lawful basis to hold a record, we securely delete or anonymise it. If we refuse an erasure request in part, we will explain which data we are keeping and why, and you can complain to the Information Commissioner's Office.

See also: How do I ask you to delete my data?, How long do you keep my data after my loan ends? and How do I correct inaccurate information you hold?.

Will applying for a Credicorp loan affect my credit file?

This is lending to your company, not to you personally, so it is the company's credit position we look at — not the director's personal consumer credit file. Here is exactly how that works.

Checks when you apply

When the company applies, we carry out two things: a business credit check on the company (using business credit reference agencies) and an identity check on the director to confirm who we are dealing with and to meet our anti-money-laundering obligations. The identity check is a verification step; it is not a personal lending search and is not recorded as one.

We do not record this loan, or the application for it, against the director's personal consumer credit file with Experian, Equifax or TransUnion. Borrowing with us will not show up when you next apply for a personal mortgage, card or loan.

The company's business credit file

The loan and how it is run can be reported to business credit reference agencies — Experian Business, Creditsafe and Equifax Business. That means:

  • payments made on time build the company's record of good account management;
  • missed payments or arrears may also be reported against the company;
  • after the account is settled and closed it stays on the company's business file for a period so other business lenders can see the full picture.

How to see the file

A company can check its own business credit file with any of the business agencies above. A director can separately check their personal file with Experian, Equifax or TransUnion at any time — each must give free access under data-protection law, and looking at your own file never affects it.

If something looks wrong

If you think we have reported something incorrectly about the company, please raise it — the General Support Enquiry form is the right place to start. We will investigate and, if a correction is needed, ask the relevant agency to update the record. Our Privacy Policy sets out in full how we use credit reference data and your rights over it.

See also: What does Credicorp share with business credit reference agencies?, ID verification when you apply, How is my data used in lending decisions?.