If your organisation registers to use the Services provided on our platform, we need to collect and use information about you or individuals at your organisation in relation to your loan application, in the course of providing you with our Services. This information is likely to include information which is classified as Sensitive Personal Data or Information (‘SPDI’) under the Sensitive Information Rules.
Depending on the relevant circumstances, we may collect some or all of the information listed below to help us with this:
We collect your personal data in three primary ways:
Personal data you give to us
Personal data we receive from other sources
Personal data we collect automatically
We collect and use your personal data for a number of reasons, including:
We will share your personal data primarily to ensure we provide you with the most efficient and effective services to you. Unless you specify otherwise, we may share your information with any of the following groups:
We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data.
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures, including encryption measures and disaster recovery plans.
If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately. Please raise your concern with email@example.com, in the first instance, and we will investigate the matter and update you as soon as possible on next steps.
We will not keep your personal data for longer than is necessary for the purposes for which we collect it unless we believe that the law or other regulation requires us to preserve it (for example, because of a request by a tax authority or in connection with any anticipated litigation).
When it is no longer necessary to retain your data, we will delete the personal data that we hold about you from our systems. While we will endeavour to permanently erase your personal data once it reaches the end of its retention period, some of your personal data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in the electronic ether, our employees will not have any access to it or use it again.
You have various rights in relation to the data which we hold about you. We have set these out below.
To get in touch with us about any of these rights, please contact firstname.lastname@example.org. We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right to object
This right enables you to object to us processing your personal data where we do so for one of the following reasons:
Right to withdraw consent
Where we have obtained your consent to process your personal data for certain activities (for example, for marketing), you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.
Data Subject Access Requests
You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
Right to erasure
You have the right to request that we "erase" your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
Right to restrict processing
You have the right to request that we restrict our processing of your personal data in certain circumstances, for example if you dispute the accuracy of the personal data that we hold about you or you object to our processing of your personal data for our legitimate interests. If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
Right to rectification
You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
Right of data portability
If you wish, you have the right to transfer your personal data between service providers. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine- readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.
Right to complain
You also have the right to lodge a complaint with your local supervisory authority.
You can also lodge a complaint with CreditEnable at:
CreditEnable is responsible for processing your personal data. CreditEnable is a private limited company with its registered office located at 175, Metro Estate, Kagalwala House, C-East, CST Road Kalina, Bandra Kurla Complex, Santacruz East, Mumbai, - 400098, India and trading offices at 1902, Tower B- Peninsula Business Park, GK Marg, Lower Parel, Mumbai 400013.
Your information will be stored by CreditEnable and/or its affiliated technology partners via secure database.
We take privacy seriously and will get back to you as soon as possible.
The data that we collect from you will be transferred to, and stored at, destinations both within and outside the European Economic Area (EEA).
We want to make sure that your personal data is stored and transferred in a way which is secure. We will therefore only transfer data outside of the EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data. For example, this could be:
Where we transfer your personal data outside the EEA and where the country or territory in question does not maintain adequate data protection standards, we will take all reasonable steps to ensure that your data is treated securely and in accordance with this policy.
There are a number of different ways that we are lawfully able to process your personal data. We have set these out below.
Where processing your data is within our legitimate interests
We are allowed to use your personal information where it is in our interests to do so, and those interests aren't outweighed by any potential prejudice to you.
We believe that our use of your personal information is within a number of our legitimate interests, including but not limited to:
We don't think that any of the activities set out above will prejudice you in any way. However, you do have the right to object to us processing your personal information on this basis. We have set out details regarding how you can go about doing this in the "Access, Correction and Inquires" section below.
Where you give us your consent to process your personal data
We are allowed to use your personal information where you have specifically consented. In order for your consent to be valid:
We seek your consent when you register to use our platform. Before giving your consent you should make sure that you read any accompanying information provided by us so that you understand exactly what you are consenting to.
You have the right to withdraw your consent at any time, and details of how to do so can be found above in the "Right to withdraw consent" section above.
Where processing your personal data is necessary for us to carry out our obligations under our contract with you
We are allowed to use your personal information when it is necessary to do so for the performance of our contract with you.
For example, we need to hold your email address in order to be able to send you reports and other analysis where you have requested them.
1 The GDPR has an effective date of 25 May 2018, and any references to it should be construed to include any national legislation implementing it.