Privacy Notice

Effective date: 22 November 2022

About this document
This document is Sikoia’s privacy notice. It explains why Sikoia processes personal data, what is done with it, whether it is shared with other parties, and how long it is kept. It also explains your rights and how to exercise them in accordance with the UK Data Protection Act 2018, UK GDPR and where applicable the EU GDPR (“Data Protection Laws”).

To all visitors on our Website
Where you enter our Website we may collect and store the following information: IP address, Location, Clicked links and Content viewed. We may also collect the following data when you perform certain functions on our Website such as your first and last name and email address when you initiate contact with us for example by filling in our “Contact Us” form.

Depending on the circumstances, our lawful basis for collecting the data is for our legitimate interests to give you a better experience on our website and to carry out your requests where you contact us. In some instances, such as where we use “non-essential” cookies we will obtain your consent to process personal data. For further information on the use of cookies please see our Cookies Notice later in this document.

Children
We do not knowingly collect or use personal data from children under 16 years of age. If we learn that we have collected personal data from a child under 16 years of age, the personal data will be deleted as soon as possible. If a child under 16 years of age has provided us with personal data their parent or guardian may contact our data protection officer.

Key definitions in this notice

Who we are
When we refer to Sikoia in this privacy notice, we mean Sikoia Limited. Sikoia is a privately held company, headquartered and operating out of London, UK and registered with the Information Commissioner’s Office (“ICO”) in the UK. Where we determined the purpose and means of processing personal data we act as a controller and where we act upon the instructions of our Client, we are a processor.

Client
‘Client’ means a company which has asked us to process your information on their behalf. Sikoia has a contractual arrangement with the client to do this. The client is the controller.

You
‘You’ means the end user. You will typically be a customer of Sikoia’s client or be considering becoming a customer. Alternatively you may be a supplier, customer or employee of Sikoia or be considering becoming so. In both cases, you are the Data Subject.

Lawful basis for processing your information
Under Data Protection Laws, the lawful bases we rely on for processing your information include:

  1. Necessary for the performance of a contract
    1. This basis applies when you have a contract with our client or are taking an initial step towards establishing a contract.

  2. Legitimate interest
    1. This basis applies where we analyse your information for purposes such as reducing fraud, improving credit risk and making responsible lending decisions.

    2. This basis may also apply where our client has a legitimate interest basis for processing your information in a particular way, and we carry out that processing on their behalf.

  3. Consent
    1. This basis may additionally apply when you have freely given consent for your information to be processed by us for a particular purpose.

  4. The type of personal information we have may include.

  5. Name, address, email, phone number and date of birth
  6. Details disclosed by you in a credit application
  7. Details of any shared credit with other parties
  8. Financial situation and history
  9. Employment situation and history
  10. Fraud prevention information
  11. Public information sources such as the Electoral Register, Companies House, published media and social networks

How we process your information
We act as a processor and will process your information in accordance with the controller’s instructions.

How we get your personal information
Your personal information can be added to our platform from a number of sources including:

  1. You, while you interact with Sikoia, a client, or a third-party system.
  2. A client, when that client sends data about you to Sikoia for processing.
  3. Other organisations (for example credit reference agencies, company registry offices, and social media), when gathered on behalf of our clients whilst using our products and services.

We may use your personal information:

  1. To provide products and services to our clients.
  2. To engage with you as a supplier, customer or employee, where appropriate.
  3. To ensure that we comply with laws or regulations.
  4. For other purposes including improving our services and exercising our rights in relation to agreements and contracts and identifying products and services that may be of interest.
  5. When we use your information like this, we will ensure it is covered by one of the lawful bases for processing personal data.

We do not sell your personal information to third parties.

Who we share your personal information with
We may share personal data in the following instance:

  1. Employees.
    1. We may disclose user data to any member of our organisation who reasonably needs access to user data to achieve the purposes set out in this Privacy Notice.

  2. Other Disclosures.
    1. We will not sell or share your data with other third parties, except in the following cases: If the law requires it, if it is required for any legal proceeding, to prove or protect our legal rights and to buyers or potential buyers of this company in the event that we seek to sell the company.

If you follow hyperlinks from our Website to another Website, please note that we are not responsible for and have no control over their privacy policies and practices.

Your personal information will be shared within Sikoia and with other companies that provide services to you or us including:

  1. Clients we cooperate with, based on a contractual arrangement, who ask us to process your information on their behalf.
  2. Outside companies whose services we use to run our business including agents, suppliers, sub-contractors and advisers. Some examples of such companies include:

    1. Computing Services - Microsoft Azure

    2. OpenBanking - Nordigen, TrueLayer, Yapily.

    3. Credit Reference Agencies - TransUnion, Equifax, Experian.

    4. Identity Verification - Veriff, Au10tix.

What rights you have over your personal information
The law gives you a number of rights in relation to your personal information including:

  1. The right to access the personal information we have about you.
  2. The right to get us to correct personal information that is wrong or incomplete.
  3. In certain circumstances, the right to ask us to stop using or delete your personal information.
  4. Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
  5. Your right to object to processing - You have the right to ask us to object to the processing of your information in certain circumstances.
  6. Your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

To exercise these rights, please refer to the “How you can contact us” section below for information on how to reach us.

How we use credit reference agencies and fraud databases
In order to process your application, our clients may use our platform to supply your personal information to credit reference agencies (CRAs) and fraud databases and ask them to provide information about you, such as about your financial history.

They do this this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

The data exchanged may include:

  1. Name, address and date of birth
  2. Credit application
  3. Details of any shared credit
  4. Financial situation and history
  5. Fraud prevention information
  6. Public information sources such as the Electoral Register, Companies House, published media and social networks.

Our clients may use this data to:

  1. Assess whether you or your business is able to afford to make repayments
  2. Make sure what you’ve told them is true and correct
  3. Help detect and prevent financial crime
  4. Manage your accounts with them
  5. Trace and recover debts
  6. Make sure any offers are relevant for you

When a CRA is asked about you or your business, they will note it on your credit file. This is called a credit search.

You can find out more about the CRAs on their websites, in the Credit Reference Agency Information Notice (CRAIN). You can also contact them to ask them to update your information if you believe that the data they hold about you is incorrect.

Here are links to the information notice for each of the three main UK Credit Reference Agencies:

  1. TransUnion - https://www.transunion.co.uk/legal/privacy-centre?#pc-credit-reference
  2. Equifax - https://www.equifax.co.uk/crain
  3. Experian - https://www.experian.co.uk/legal/crain

International transfers
When we process your personal data, send it to a client, or send it to a third-party for processing, this may involve transferring your data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure an equivalent level of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  1. We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
  2. Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

How we keep your data secure
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How long we store your personal data
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law we have to keep basic information about our clients (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

In some circumstances you can ask us to delete your data: see section “What rights you have over your personal information” for further information .

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

How you can contact us
If you have any questions, concerns or complaints, you can contact our data protection officer at: info@sikoia.com, 71-75 Shelton Street, London, United Kingdom, WC2H 9JQ.

If you are unsatisfied with the outcome of your complaint about how we have handled your data you can complain to the UK Information Commissioner’s Office (“ICO”).

Cookies notice
A cookie is a small file, stored on a user’s hard drive by a website. Its purpose is to collect data relating to the user’s browsing habits. You can choose to be notified each time a cookie is transmitted. You can also choose to disable cookies entirely in your internet browser or by using the cookies consent mechanism but this may decrease the quality of your user experience.

We use the following types of cookies on our Site:

  1. Analytical cookies
    1. Analytical cookies allow us to improve the design and functionality of our Site by collecting data on how you access our Site, for example data on the content you access, how long you stay on our Site, etc; and

  2. Third-Party Cookies
    1. Third-party cookies are created by a website other than ours. We may use third-party cookies to achieve the following purposes:

      1. Monitor user preferences in order to improve website usage.