Privacy Policy - Legal Disclosures for Processing Data

Effective date: 7 April, 2022

  1. About this document

    This document is Sikoia's privacy notice. It explains why Sikoia processes personal data, what is done with it, how long it is kept, whether it is shared with other parties, and how long it is kept. It also explains your rights and how to exercise them

  2. Key definition in this policy

    1. 2.1 Who we are

    2. When we refer to Sikoia in this Privacy Policy, we mean Sikoia Limited. Sikola is a privately held company, headquartered and operating out of London, UK and registered with the Information Commissioner's Office in the UK. It is a Data Processor.

    1. 2.2 Client

    2. 'Client' means a company which has asked us to process your information on their behalf. Sikoia has a contractual arrangement with the client to do this. The client is the Data Controller.

    1. 2.3 You

    2. 'You' means the end user. You will typically be a customer of Sikoia's client, or be considering becoming a customer. You are the Data Subject.

  3. Lawful basis for processing your information

    Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing your information include:

    1. Necessary for the performance of a contract

      1. This basis applies when you have a contract with our client or are taking an initial step towards establishing a contract.

    1. Legitimate interest

      1. This basis applies where we analyse your information for purposes such as reducing fraud, improving credit risk and making responsible lending decisions.
      2. This basis may also apply where our client has a legitimate interest basis for processing your information in a particular way, and we carry out that processing on their behalf.

    1. Consent

      1. This basis may additionally apply when you have freely given consent for your information to be processed by us for a particular purpose.

    The type of personal information we have may include:

    1. Name, address and date of birth
    1. Details disclosed by you in a credit application
    1. Details of any shared credit with other parties
    1. Financial situation and history
    1. Fraud prevention information
    1. Public information sources such as the Electoral Register, Companies House, published media and social networks

  4. How we process your information

    We act as Data Processors and will process your information in accordance with the Data Controller’s instructions.

    1. 4.1 How we get your personal information

      Your personal information can be added to our platform from a number of sources including:
      1. You, while you interact with Sikoia, a client, or a third-party system.
      2. A client, when that client sends data about you to Sikoia for processing.
      3. Other organisations (for example credit reference agencies, company registry offices, and social media), when gathered on behalf of our clients whilst using our products and services.

    1. 4.2 How we get your personal information

      We use your personal information:
      1. To provide products and services to our clients.
      2. To ensure that we comply with laws or regulations.
      3. For other purposes including improving our services and exercising our rights in relation to agreements and contracts and identifying products and services that may be of interest.

      When we use your information like this, we will ensure it is covered by one of the GDPR bases for processing personal data listed in section 4.

      We do not sell your personal information to third parties.

    1. 4.3 Who we share your personal information with

      Your personal information will be shared within Sikoia and with other companies that provide services to you or us including:
      1. Clients we cooperate with, based on a contractual arrangement, who ask us to process your information on their behalf.
      2. Outside companies whose services we use to run our business including agents, suppliers, sub-contractors and advisers.
        1. Some examples of such companies include:
          1. OpenBanking – Nordigen, TrueLayer
          2. Credit Reference Agencies – TransUnion, Equifax, Experian
          3. Identity Verification – Veriff
          4. Computing Services – Microsoft Azure
        2. Additional companies are listed on Sikoia’s web site.

    1. 4.4 What rights you have over your personal information

      The law gives you a number of rights in relation to your personal information including:
      1. The right to access the personal information we have about you.
      2. The right to get us to correct personal information that is wrong or incomplete.
      3. In certain circumstances, the right to ask us to stop using or delete your personal information.
      4. Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
      5. Your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

    2. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

    3. To exercise these rights, please refer to the “How you can contact us” section below for information on how to reach us.

    1. 4.5 How we use credit reference agencies

      In order to process your application, our clients may use our platform to supply your personal information to credit reference agencies (CRAs) and fraud databases and ask them to provide information about you, such as about your financial history.

    2. They do this this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

    3. The data exchanged may include:
      1. Name, address and date of birth
      2. Credit application
      3. Details of any shared credit
      4. Financial situation and history
      5. Fraud prevention information
      6. Public information sources such as the Electoral Register, Companies House, published media and social networks.

    4. Our clients may use this data to:
      1. Assess whether you or your business is able to afford to make repayments
      2. Make sure what you’ve told them is true and correct
      3. Help detect and prevent financial crime
      4. Manage your accounts with them
      5. Trace and recover debts
      6. Make sure any offers are relevant for you.

    5. When a CRA is asked about you or your business, they will note it on your credit file. This is called a credit search.

      You can find out more about the CRAs on their websites, in the Credit Reference Agency Information Notice (CRAIN). You can also contact them to ask them to update your information if you believe that the data they hold about you is incorrect.

      Here are links to the information notice for each of the three main UK Credit Reference Agencies:
      1. TransUnion -
      2. Equifax -
      3. Experian -

    1. 4.6 International Transfers

    2. When we process your personal data, sent it to a client, or send it to a third-party for processing, this may involve transferring your data outside the UK.

      Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
      1. We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
      2. Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

    3. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

    1. 4.7 How we keep your data secure

    2. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

      We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

    1. 4.8 How long we store your personal data

    2. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

      We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

      By law we have to keep basic information about our clients (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

      In some circumstances you can ask us to delete your data: see section 5.4 for further information.

      In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

  5. How you can contact us

    If you have any questions, concerns or complaints, you can contact our data protection officer at:, 71-75 Shelton Street, London, Greater London, United Kingdom, WC2H 9JQ. If you are unsatisfied with the outcome of your complaint about how we have handled your data you can complain to the Information Commissioners Office (details available on their website).