1.1 We, Bibby Financial Services Limited and subsidiary companies (together, “Bibby Group Companies”) (details of our UK operating companies can be viewed here (www.bibbyfinancialservices.com/contact-us) and a full list of our group companies can be obtained from our Data Protection Officer and reference in this Privacy Notice to “we”, “us” and “our” refers to all or any of the Bibby Group Companies), collect, use and are responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation (“GDPR”) which applies across the European Union (including in the United Kingdom) and under any local legislation which implements or supplements the GDPR (including, in the UK, the Data Protection Act 2018) and we are responsible as “controller” of that personal information for the purposes of those laws. It will often be the case that your personal information will be used by more than one Bibby Group Company who will either responsible as joint controllers of that personal information or it may be that one Bibby Group Company is the “controller” and another is the “processor” of that personal information.
1.2 We are committed to the protection of your privacy and you can find out more about your privacy rights and how we gather, use and share your personal information (being the personal information we already hold about you and the further personal information we might collect about you, either from you or from a third party) in this Privacy Notice. How we use your personal information will depend on i) our relationship with you, ii) on the products and services we provide to you (or to any company or limited liability partnership (each, a “Connected Company”) of which you are a corporate officer, owner, member or partner or in connection with which you have agreed to act as surety, guarantor or warrantor (each, a “Key Individual”)) or iii) where you (or a Connected Company) are a customer of one of our clients to whom we’ve made funding available (“Your Supplier”), on the products and services we make available to Your Supplier.
1.3 We have appropriate security measures to prevent personal information from being accidentally lost, or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.
1.4 Our Data Protection Officer (“DPO”) provides us with help and guidance to ensure we apply the best standards to protecting your personal information. If you have any questions about how we use your personal information you can contact our DPO by email at DPO.UK@bibbyfinancialservices.com or by post sent to The Data Protection Officer, Bibby Financial Services Limited, Pembroke House, Banbury Business Park, Aynho Road, Adderbury OX17 3NS. See section 2 (Your privacy rights) for more information about your rights and how our DPO can help you.
1.5 This Privacy Notice provides up to date information about how we use your personal information and updates any previous information we have given you about our use of your personal information. We will update this Privacy Notice if we make any significant changes affecting how we use your personal information and we will contact you to let you know about the changes.
2. Your privacy rights
2.1 Under the GDPR you have a number of important rights which you can exercise, free of charge. In summary, those include rights to:
- object, in certain circumstances, to how we use your personal information. If you wish to exercise this right, please contact our DPO, providing details of your objection;
- request access to a copy of your personal information which we hold, along with details of what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge by contacting our DPO. Please make all requests for access in writing, and provide us with evidence of your identity;
- ask us to correct inaccuracies, to complete any incomplete personal information, to delete or restrict personal information or to ask for some of your personal information to be provided to someone else;
- withdraw your consent (if you have given us your consent to use your personal information) and update your marketing preferences by contacting us directly on 0800 919592;
- ask us to delete your personal information where it is no longer necessary for us to use it, where you have withdrawn consent, or where we have no lawful basis for keeping it;
- ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred; and
- ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.
For further information in relation to these rights, including the circumstances in which they apply, please see the guidance from the UK Information Commissioner’s Office (“ICO”) on individuals’ rights under the GDPR (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/).
2.2 You can also make a complaint to the ICO at https://ico.org.uk. For further information about exercising any of your rights in this Privacy Notice please contact our DPO using the details contained in section 1 (Introduction).
3. What categories of personal information do we use?
3.1 We use a variety of personal information depending on the products and services we provide to you (or to any Connected Company or to Your Supplier). For most products and services which we provide to you (or to any Connected Company) we need your name, address, date of birth, contact details (including email address and phone numbers), any other information to allow us to check your identity (including a copy of your identification documents (such as a passport or driving licence)) and information about your credit history.
3.2 For some products and services we may need to use additional personal information which we will gather about you – without this we will not be able to provide any of those products and services to you (or any Connected Company). For example, to make available a funding facility, we need financial information (which may include your income, expenditure, assets and liabilities, credit history and credit scoring), employment details, details of any criminal prosecutions and details of bankruptcy or any County Court Judgements. This information will be used for funding decisions, to help us to operate a funding facility, for fraud prevention and anti-money laundering and to meet our own legal obligations.
3.3 For the invoice finance products and services which we provide to Your Supplier, we may need your name, address, contact details (including email address and phone numbers) and any other information to allow us to verify any debts owed to Your Supplier which Your Supplier is seeking funding for. This information could include copies of invoices (and any credit notes or correspondence relaying to those invoices) addressed to you (or a Connected Company) from Your Supplier, copies of supply or service contracts entered into between you (or a Connected Company) and Your Supplier, details of any aged debt owed by you (or a Connected Company) to Your Supplier, details of your (or a Connected Company’s) payment history with Your Supplier and details of your (or a Connected Company’s) financial records.
3.4 If your personal information is needed by us in order to enter into a contract with you (or any Connected Company) or to meet a legal obligation, we will not be able to provide some products or services without that personal information. We will notify you if this is the case.
4. How do we gather your personal information?
We obtain personal information about you:
- directly from you, for example when you visit our offices and fill your details in to our visitors’ book or where you fill out an application or information gathered during any conversations with us (including LIVE CHAT conversations via our website) or from written/electronic exchanges with us;
- by observing how you use our products and services;
- from other organisations such as credit reference and fraud prevention and watchlist agencies;
- from third party intermediaries and introducers;
- from Your Supplier; and
- from other people who know you including people you are linked to financially.
We may also obtain some personal information from monitoring or recording calls. We may record or monitor phone calls with you for regulatory purposes, for training purposes, to ensure and improve quality of service delivery, to ensure safety of our staff and customers, for other security purposes and to resolve queries or issues. Such recordings belong to us.
5. How we use your personal information
For the vast majority of products and services which we make available to you (or to a Connected Company), we need your name, address, date of birth, contact details (including email address and phone numbers), any other information to allow us to check your identity (including a copy of your identification documents (such as a passport or driving licence)) and information about your credit history. Where we make available products and services to Your Supplier we may need your name, address, contact details (including email address and phone numbers) and any other information to allow us to verify any debts owed to Your Supplier which Your Supplier is seeking funding for. Further details of the categories of personal information which we need about you are provided in section 3 above.
We sometimes need to gather, use and share additional personal information for specific purposes, which are set out in more detail below. We will only do this where we have a lawful basis to do so. Please see section 7 below for further details of our lawful basis for using your personal information.
5.1 To operate and administer any funding facility we have made/may make available to you (or any Connected Company) or any of our other products and services (including the provision by us (or nominated service providers) of training in relation to those products and services), we will use:
a. your contact details;
b. your location data for fraud prevention and, if you have consented to it, mobile location services;
c. your IP address to identify you for security reasons.
We might share all of the information we use for this purpose with third parties who help us to verify your identity details (for example Jumio Corporation (see section 9 below for more information about Jumio Corporation)) or your contact details and to deliver our products and services, such as our subcontractors and our own service providers (including but not limited to) i) the providers of our IT systems and platforms, ii) providers of document management services and solutions, iii) credit or other insurers for underwriting purposes or in relation to the administration of any claims (who may pass it to persons they deal with and to users of their services), iv) external payroll service providers (where that forms part of the services we provide to you), v) our legal and tax advisers, vi) any person giving (or potentially giving) a guarantee, indemnity or other commitment to any of the Bibby Group Companies in relation to any funding facility or other product we make available to you (or any Connected Company) so they can assess their obligations to the Bibby Group Companies, vii) third party trainers; viii) third party auditors and other advisers acting on behalf of any of the Bibby Companies or on your behalf, so that they can carry out their services to such persons and any regulators. We use your information in this way because it is necessary to perform our contract with you and to meet our legal obligations.
5.2 To operate and administer any funding facility we have made/may make available to Your Supplier, we will use:
a. your contact details;
b. details of your contractual arrangements with Your Supplier (including payment terms);
c. copies of purchase orders between you and Your Supplier along with documents which evidence proof of delivery and/or provision of services;
d. copies of invoices sent to you by Your Supplier;
e. copies of credit notes issued to you by Your Supplier; and
f. the amount of monies owing by you to Your Supplier.
We use this information to verify debts which Your Supplier is asking us to fund. We also use this information to assist us in collecting debts due from you. It is in our legitimate interests to ensure that the debts which we are being asked to fund exist and are likely to be paid. It is in our legitimate interests to take steps to collect those debts.
5.3 To administer payments to you or from you (or otherwise for our account in respect of any services or products we make available to you or a Connected Company or to Your Supplier), we will use:
a. your contact details and the payment details that you have provided to us; and
b. your location data to enable us to verify locations at which payments are made for fraud prevention purposes.
We may give this information to our third party payment providers to process payments to or from you or otherwise in respect of payments being made to us. We use your details in this way because it is necessary to perform our contract with you (or any Connected Company) where you are (or such Connected Company is) our client or, where you are the debtor of our client, using your personal information in this way is in our legitimate interests to collect debts due to us.
5.4 To make credit decisions about you (or any Connected Company), including new applications for funding or requests to increase funding limits, we will use:
a. information you give to us about your credit history;
b. information about those you are financially linked to (such as your partner);
c. information about how you have used other products and services offered by us;
d. information we receive from third party credit reference agencies, fraud prevention agencies and watchlist agencies; and
e. information we receive about you directly from other third parties.
For this purpose, we share information with credit reference and fraud prevention agencies (a list of such credit reference agencies can be obtained from our DPO using the details contained in section 1 above. The information could then be used as follows:
a. the credit reference or fraud prevention agency might add details of our search and your credit application to the records they hold about you, whether or not your application proceeds;
b. we and the credit reference or fraud prevention agency might link your financial records to those of any person you are financially linked to – this means that each other's information (including information already held by us or the credit reference agency) will be taken into account in all future credit applications by you (or such financially linked person), until one of you successfully files a 'disassociation' at the credit reference agencies;
c. we might add details of your (or the Connected Company’s) facility with us to the credit reference or fraud prevention agency's records, including details of how that facility is being operated and including any default or failure to keep to the terms of the underlying agreement;
d. the credit reference or fraud prevention agency could pass on any of that information to other companies unrelated to us for the credit checking and fraud prevention purposes mentioned above; and
e. the credit reference or fraud prevention agency will also use the information for statistical analysis about credit, insurance and fraud on an anonymous basis.
When credit reference agencies receive a search from us, they will place a search footprint on your credit file that may be seen by other lenders and other companies unrelated to us (for example, other funders and credit providers).
Further details of the credit reference agencies (and the ways in which they use and share personal information) are explained in more detail at www.experian.co.uk (Experian can also be contacted on 0800 013 88 88) and at www.equifax.co.uk (Equifax can be contacted on 0800 014 2955).
We use your information in this way because i) it is necessary to perform our contract to deliver credit related products and services to you (or any Connected Company), ii) to meet our legal obligations and iii) because it is in our legitimate interests to understand your financial position and to promote responsible lending.
5.5 To assist us to structure any funding facility to be made available to you or a Connected Company or to allow us to consider and deal with any proposed third party facility which you or a Connected Company is considering we will use:
a. information about other outstanding funding facilities which have been made available to you (or a Connected Company) or which you (or such Connected Company) are proposing to enter into; and
b. information about guarantees and security documents which may have entered into or are being contemplated in relation to such funding facilities.
This information might be used to determine any security package sought for our funding facilities or to consider any requests for consent to allow third party security to be granted. This may involve sharing of this information with third party funders.
5.6 To comply with our legal obligations, to prevent financial crime including fraud and money laundering we will use:
a. any information you have given us, that we have obtained from a third party, or that we have obtained by looking at how you use our services, where it is necessary for us to use that information to comply with a legal obligation; and
b. this information will include name, address, date of birth, every country of residence/citizenship, personal identification (which may include passport number or driving license number) your IP address, and information about any criminal convictions.
We will give information to and receive information from third parties where that is necessary to meet our legal obligations, including credit reference agencies, fraud prevention agencies, the police and other law enforcement and government agencies, banks and regulators. Fraud prevention agencies may use your information as set out in paragraph 5.4 above
5.7 For financial management and debt recovery purposes, we will use:
a. your contact details; and
b. information we obtain from looking at how you have used our services.
We will give information to and receive information from third parties where that is necessary to recover debts due by you or your customers (or by a Connected Company or the customers of that Connected Company) to us, for example, other funders, debt recovery agents, insolvency practitioners, our legal advisers, credit reference agencies and sheriff officer or bailiff services.
We use your information in this way because it is necessary to perform our contract with you, to exercise our legal rights, and because it is fair and reasonable for us to do so.
5.8 To carry out market research and analysis to develop and improve our products and services we will use:
information about how you have used our products and services. We use your information in this way because it is in our interests to do so for the purpose outlined above.
We may pass your personal information to market research companies and other service providers as required.
5.9 To market products and services to you, we will use:
a. the contact details you have provided to us; and
b. information we have gathered from your use of our other products and services to form a profile of you which we will use to assess what other products and services would be most beneficial for you.
We will pass your personal information to our service providers who help us with these marketing activities.
We might also receive personal information about you from a third party and use it to market our products and services to you, where you have given that third party your consent to share the personal information with us (or have otherwise requested them to do this) or where that third party otherwise has a lawful basis for sharing that personal information with us. We may collect your name and address from other service providers for the purpose of providing suitable marketing to you.
5.10 To facilitate introductions from, and to enable introducer fee payments to be made to, third parties, we will give information to and receive information from third party independent financial advisers and brokers. In doing this we will use:
a. information about the general nature of our products and services; and
b. information about the value of those products and services (where we have made them available to you (or a Connected Company)).
We use your information in this way because it is in our interests to have relationships with third party introducers in order to expand our business and to allow us to provide you with the products and services that best suit you.
5.11 To make introductions to third party financial advisers and brokers or third party funders we will use:
a. your contact details; and
b. information in relation to the products and services which we believe you are seeking or which may be best suited to you.
We use your information in this way where you have either given your consent to this or have otherwise requested us to do this.
5.12 To enable us to obtain the funding which we provide to you (or a Connected Company) we may use:
information in relation to the facility made available to you (or a Connected Company) which could include copies or the originals of our agreements with you (or such Connected Company) and the provision of such information to our funders or block discounters.
We use your information in this way where our own funding arrangements require us to do so in order to obtain the funding which we make available to you.
5.13 To comply with our obligations to supply details of our business (and its performance) to our funders, their agents and representatives and to our auditors we may use:
a. your name;
b. your contact information;
c. your bank account details;
d. details of the amount of funding made available by us to you (or a Connected Company) or which is otherwise owed by you to us; and
e. details of any payments made by you to us.
We use your information in this way in order to comply with our own funding arrangements agreements (and a failure to comply would mean that we would be unable to provide you (or a Connected Company or Your Supplier) with the funding you (or they) need). Typically, your information may be included within reports we issue to our funders (or their agents and representatives) which might, for example, provide those recipients with details of our new clients, our top clients (in terms of facility size) and top debtors (in terms of size of debt). We also use this information to comply with our audit obligations (which we have a lawful obligation to comply with).
5.14 For business development purposes and to engage with introducers, contractors and advisers we will use:
your contact details in order to make contact with you for any of the above purposes. We do this either because i) it is necessary in order to enter into a contract with you or to perform a contract once entered into or ii) it is in our legitimate interests to interact with you for networking and business development purposes.
5.15 For security and administrative purposes we will use:
information (which would usually include your name, details of your organisation and your vehicle registration number) which you may insert into our visitors’ books when you visit our premises.
This information is needed to assist us to verify your identity and to help administer appointments which you have with us. The information will also help us to determine who is within our premises, in the case of an emergency. Your vehicle registration details can help us to identify and locate you whilst you’re visiting our premises, should there be a problem connected to your vehicle.
5.16 In completing our documents we will use the following information of any individuals who witness any signatures on any of our documents:
a. contact information; and
b. occupation details
This information is required to make it easier to identify and trace a witness in case any questions arise in the future concerning the execution of our documents. Each party to our documents will be provided with a fully signed copy of them and further copies will (where relevant) be filed with Companies House and the Land Registry. All witness details (other than witness names) will be redacted before filing at Companies House.
Connected Companies and Key Individuals - personal information requirements
For a Connected Company, we will use personal information about Key Individuals, so that we can operate and administer the products and services which we provide to the Connected Company.
The personal information we use about Key Individuals is as set out in preceding paragraphs of this section 5, and we may use it for any of the purposes described in this section 5. We may hold personal information on Key Individuals for the purposes of operating and administering products and services which we provide to the Connected Company, as well as for the purposes of the prevention of fraud and money laundering, for debt recovery purposes, and to make credit decisions about the Connected Company.
Personal information on Key Individuals is obtained directly from the Key Individual, from the Connected Company, from the Key Individual's dealings with any of the Bibby Group Companies, and from fraud prevention and credit reference agencies. Such information may include special categories of personal information, such as information relating to health or criminal convictions.
6. Automated decision making
Sometimes we use your personal information in automated processes to make decisions about you. As an example, we want you to get the most relevant information about our products and services at the right time. The most effective way for us to do this is to use automated processes to create a profile of you for marketing. To carry out marketing profiling we use information (which may have been obtained from you, obtained from credit reference agencies, extracted by us based on how you have used other products and services provided by us (including your credit history with us), arising from any feedback which you have provided to us or obtained from other external data sources) to create a profile of you.
7. Our lawful basis for using your personal information
7.1 We only use your personal information where we have a lawful basis to do so. This could include where:
a. we have your consent;
b. we need to use the information to comply with our legal obligations;
c. we need to use the information to perform a contract with you or to take steps at your request before a contract is entered into; and/or
d. it is in our interests or someone else's interests to use the personal information and your interests in protecting your personal information do not override this – this will include where it is in our interests to use your personal information to decide whether to enter into a funding facility with you (or with a Connected Company or Your Supplier) and, afterwards, to progress, process or administer that funding facility (including facilitating payments and collecting in monies owed to us), to contact you about products or services, to market to you, or to collaborate with others to improve our services.
Where we have your consent, you have the right to withdraw it. We will let you know how to do that at the time we gather your consent. See section 11 (Keeping you up to date) for details about how to withdraw your consent to marketing.
7.2 Data protection laws give special protection to particularly sensitive personal information. This includes information about your health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers, trade union membership or criminal convictions or allegations. We will only use this kind of personal information where:
a. we have a legal obligation to do so (for example to protect vulnerable people or where information about your health status impacts on our decision as to whether or not to fully enforce our rights under any of our documents and we are asked to disclose the rationale behind that decision to a person carrying out an official function);
b. it is necessary for us to do so to protect your vital interests (for example if you have a severe and immediate medical need whilst on our premises);
c. it is in the substantial public interest;
d. it is necessary for the prevention or detection of crime;
e. it is necessary for insurance purposes; or
f. you have specifically given us explicit consent to use the information.
7.3 We may use information about criminal proceedings relating to you to decide whether to enter into a facility with you or a Connected Company or Your Supplier, for fraud prevention/anti-money laundering purposes and to fulfil our legal and regulatory obligations.
More information about our lawful basis for processing your personal information is contained in section 5 above.
8. Sharing your personal information
8.1 We will share personal information with other Bibby Group Companies and with other third parties where we need to do that to provide products and services to you, to market products and services to you, to meet or enforce a legal obligation or where it is fair and reasonable for us to do so. We will only share your personal information to the extent needed for those purposes.
8.2 Who we share your personal information with depends on the products and services we provide to you (or any Connected Company or Your Supplier) and the purposes we use your personal information for. For most products and services we will share your personal information with our own service providers such as our IT suppliers, with credit reference agencies and with fraud prevention agencies. We may also share your information with others such as third parties approved by you, external contractors, suppliers, consultants, third party agencies and representatives, our professional advisers and, in some cases, our own funders and their representatives. If practical these recipients of the information will be bound by confidentiality obligations. We may also be required to share some personal information with the Government or any industry regulators (where we are required to do so by law or to assist with their investigations or initiatives), such as the Financial Conduct Authority, HMRC, the Home Office, the Information Commissioners Office or the courts, or with the police, law enforcement or security services (to assist with the investigation and prevention of crime and the protection of national security). See section 5 (How we use your personal information) for more information about who we share your personal information with and why.
8.3 Most of the time the personal information we have about you is information you have given to us, or gathered by us in the course of providing products and services to you (or to a Connected Company or Your Supplier). We also sometimes gather personal information from third parties for example where necessary for credit checking and fraud prevention or for marketing purposes (to enable you to receive details of relevant products from us). See section 5 (How we use your personal information) for more information about who we receive your personal information from and why.
9. Transfers of information outside the European Economic Area (“EEA”)
9.1 We may need to transfer your personal information outside of the EEA , for instance to other Bibby Group Companies, service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the EEA. An example of this occurs in relation to our identity verification procedures. If you are a prospective client or a Key Individual in relation to a prospective client then we will use the services of Jumio Corporation to assist in identity verification. Jumio Corporation is a US based company which operates globally and which uses computer vision technology, machine learning and live verification to verify credentials.
9.2 We will only transfer your personal information outside the EEA where either i) the transfer is to a country which ensures an adequate level of protection for your personal information (as determined by the European Commission) or ii) we have put in place measures to ensure adequate security for your personal information (in accordance with Article 46 of the GDPR). These measures include ensuring that your personal information is kept safe by carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings such as the EU style model clauses. We also use the EU Commission approved EU-US Privacy Shield when we transfer personal information to the US. In the case of the Jumio Corporation we ensure that your personal information is protected by the inclusion (within our contract with Jumio Corporation) of European Commission approved model clauses.
9.3 Please contact our DPO whose details are set out above to find out more about the safeguards we employ when transferring personal data outside of the EEA.
10. How long we keep your personal information for
10.1 How long we keep your personal information for depends on the products and services we deliver to you (or to a Connected Company or to Your Supplier). We keep your personal information for so long as you have (or the relevant Connected Company or Your Supplier has) a relationship with us but will never retain your personal information for any longer than is necessary for the purposes we need to use it for.
10.2 We generally keep the personal information we use for at least seven years after the end of any facility which we make available to you (or any Connected Company or Your Supplier) or from the date you (or such Connected Company or Supplier) last used one of our services. Where the documentation relating to any facility made available to you (or any Connected Company or Your Supplier) consists of documents signed as deeds, then we may keep them alongside personal information relating to those documents for twelve years after termination of those documents. In some circumstances we will hold personal information for longer than stated above where we believe that this is necessary for active or potential legal proceedings or to resolve or defend claims.
10.3 Please contact our DPO whose details are set out above if you want to find out more about how long we’ll retain your personal information.
11. Keeping you up to date
11.1 We will communicate with you about products and services we are delivering using any contact details you have given to us - for example by post, email, text message, social media or website.
11.2 In most cases we do not need your consent in order to market to you. Instead, we’ll usually be relying on legitimate interests as our lawful basis to market to you. If (for whatever reason) we cannot rely on legitimate interests and, instead, we seek and obtain your consent to be able to market to you, you can withdraw that consent by contacting us directly on 0800 919592. You can also contact us on that number if you’d like to update your marketing preferences.
13. Do you need extra help?
Please contact our DPO whose details are set out above or if you would like this Privacy Notice in large print.
Last updated May 2018