Effective date: 7 April, 2022
About this document
This document is Sikoia's privacy notice. It explains why Sikoia processes personal data, what is done
with it, how long it is kept, whether it is shared with other parties, and how long it is kept. It also
explains your rights and how to exercise them
Key definition in this policy
2.1 Who we are
Sikola is a privately held company, headquartered and operating out of London, UK and registered
with the Information Commissioner's Office in the UK. It is a Data Processor.
'Client' means a company which has asked us to process your information on their behalf.
Sikoia has a contractual arrangement with the client to do this.
The client is the Data Controller.
'You' means the end user. You will typically be a customer of Sikoia's client, or be considering becoming a customer.
You are the Data Subject.
Lawful basis for processing your information
Under the General Data Protection Regulation (GDPR),
the lawful bases we rely on for processing your information include:
Necessary for the performance of a contract
This basis applies when you have a contract with our client or are taking an initial step towards establishing a contract.
This basis applies where we analyse your information for purposes such as reducing fraud,
improving credit risk and making responsible lending decisions.
This basis may also apply where our client has a legitimate interest basis for processing your information in a particular way,
and we carry out that processing on their behalf.
This basis may additionally apply when you have freely given consent for your information to be processed by us for a particular purpose.
The type of personal information we have may include:
Name, address and date of birth
Details disclosed by you in a credit application
Details of any shared credit with other parties
Financial situation and history
Fraud prevention information
Public information sources such as the Electoral Register, Companies House, published media and social networks
How we process your information
We act as Data Processors and will process your information in accordance with the Data Controller’s instructions.
4.1 How we get your personal information
Your personal information can be added to our platform from a number of sources including:
You, while you interact with Sikoia, a client, or a third-party system.
A client, when that client sends data about you to Sikoia for processing.
Other organisations (for example credit reference agencies, company registry offices, and social media),
when gathered on behalf of our clients whilst using our products and services.
4.2 How we get your personal information
We use your personal information:
To provide products and services to our clients.
To ensure that we comply with laws or regulations.
For other purposes including improving our services and exercising our rights in relation to agreements and
contracts and identifying products and services that may be of interest.
When we use your information like this, we will ensure it is covered by one of the GDPR bases for processing personal data listed in section 4.
We do not sell your personal information to third parties.
4.3 Who we share your personal information with
Your personal information will be shared within Sikoia and with other companies that provide services to you or us including:
Clients we cooperate with, based on a contractual arrangement, who ask us to process your information on their behalf.
Outside companies whose services we use to run our business including agents, suppliers, sub-contractors and advisers.
Additional companies are listed on Sikoia’s web site.
4.4 What rights you have over your personal information
The law gives you a number of rights in relation to your personal information including:
The right to access the personal information we have about you.
The right to get us to correct personal information that is wrong or incomplete.
In certain circumstances, the right to ask us to stop using or delete your personal information.
Your right to restriction of processing -
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to data portability -
You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
To exercise these rights, please refer to the “How you can contact us” section below for information on how to reach us.
4.5 How we use credit reference agencies
In order to process your application,
our clients may use our platform to supply your personal information to credit reference agencies (CRAs)
and fraud databases and ask them to provide information about you, such as about your financial history.
They do this this to assess creditworthiness and product suitability,
check your identity, manage your account, trace and recover debts and prevent criminal activity.
The data exchanged may include:
Name, address and date of birth
Details of any shared credit
Financial situation and history
Fraud prevention information
Public information sources such as the Electoral Register, Companies House, published media and social networks.
Our clients may use this data to:
Assess whether you or your business is able to afford to make repayments
Make sure what you’ve told them is true and correct
Help detect and prevent financial crime
Manage your accounts with them
Trace and recover debts
Make sure any offers are relevant for you.
When a CRA is asked about you or your business, they will note it on your credit file. This is called a credit search.
You can find out more about the CRAs on their websites, in the Credit Reference Agency Information Notice (CRAIN). You can also contact them to ask them to update your information if you believe that the data they hold about you is incorrect.
Here are links to the information notice for each of the three main UK Credit Reference Agencies:
When we process your personal data, sent it to a client, or send it to a third-party for processing, this may involve transferring your data outside the UK.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
4.7 How we keep your data secure
We have put in place appropriate security measures to prevent your personal data from being accidentally lost,
used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.
They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
4.8 How long we store your personal data
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for,
including for the purposes of satisfying any legal,
regulatory, tax, accounting or reporting requirements.
We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law we have to keep basic information about our clients (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.
In some circumstances you can ask us to delete your data: see section 5.4 for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
How you can contact us
If you have any questions, concerns or complaints, you can contact our data protection officer at:
firstname.lastname@example.org, 71-75 Shelton Street, London, Greater London, United Kingdom, WC2H 9JQ.
If you are unsatisfied with the outcome of your complaint about how we have handled your data you can complain to the Information Commissioners Office (details available on their website).