1.3 If you are an existing customer of ours, further details about how we use your personal information is set out in your Running Account Credit Agreement. Further notices highlighting certain uses we wish to make of your personal information together with the ability to opt in or out of selected uses may also be provided when we collect personal information from you.
1.4 Our Website may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites.
- Who we are
- What personal information about you we may collect
- How we may use your personal information
- How we protect your personal information
- Contacting us & your rights to prevent marketing and to access and update your personal information
- Our Cookies Policy
2 Who we are
2.1 Capital on Tap is the trading name of New Wave Capital (company number 07959823, registered office No.1 London Bridge, London, England, SE1 9BG).
3 Information we may collect about you
3.1 We will collect and process all or some of the following personal information about you:
(a) Information you provide to us ► personal information that you provide to us (or is provided to us by third parties (for example, a broker)), such as when using the application form on our Website, including your name, email address, and other contact details;
(b) Credit and Anti-Fraud information ► information relating to your financial situation, your creditworthiness or any criminal or fraudulent activities provided to us by you or third parties, including information which establishes your identity, such as driving licences, passports and utility bills; information about transactions, credit ratings from credit reference agencies; fraud, offences, suspicious transactions, politically exposed person and sanctions lists where your details are included.
(c) Your transactions ► details of transactions you carry out through our Website or through other channels and of the fulfilment of the services we provide. This will include card transaction and usage data that we collect when you use your Capital on Tap Business Visa Card or your Capital on Tap Corporate Mastercard, and draw down dates, values and bank account information where applicable. It will also include any transaction and/or accounting data provided to us where you allow us to access this information through integration with your accounting software or through a third party supplier;
(d) Our correspondence ► if you contact us, we will typically keep a record of that correspondence. This may include telephone calls, which we record to assist us in training our staff and undertaking quality checks;
(e) Data from third parties ► From time to time we obtain details of potential customers from our partner organisations, which we use to provide postal marketing services to those individuals, to advise of our service offering. We may also receive some personal data from you in the course of undertaking our credit reference and fraud prevention checks described at paragraph (b) above;
(f) Survey information ► we may also ask you to complete surveys that we use for research purposes. In such circumstances we shall collect the information provided in the completed survey; and
(g) Website and communication usage ► details of your visits to our Website and information collected through cookies and other tracking technologies including, but not limited to, your IP address, domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.
4 Uses made of your personal information
4.1 In this section, we set out the purposes for which we use personal information that we collect via our Website and, in compliance with our obligations under European law, identify the “legal grounds” on which we rely to process the information.
4.2 These “legal grounds” are set out in European Data Protection Law, which allows companies to process personal data only when the processing is permitted by the specific “legal grounds” set out in law (the full description of each of these grounds can be found here.
4.3 Please note that in addition to the disclosures we have identified below, we may disclose personal information for the purposes we explain in this notice to service providers, contractors, agents, advisors (e.g. legal, financial, business or other advisors) and affiliates of Capital on Tap that perform activities on our behalf
(a) To communicate effectively with you and conduct our business ► to manage your loan, including to respond to your queries, to otherwise communicate with you, or to carry out our obligations arising from any agreements entered into between you and us;
Lawful Bases: contract performance, legitimate interests (to enable us to perform our obligations, provide our services to you and keep you informed)
(b) To confirm that your details are correct ► so that we can ensure that information used to assess your application is entirely correct, we will cross check it against resources such as:
(i) Companies House, to confirm company information;
(ii) postcode confirmation services;
(iii) data validation services, to confirm bank account details; and
(iv) the Electoral Roll, to confirm your address.
The purpose of these checks is to prevent inconsistencies (whether between records or simply as a result of typing errors) from disrupting our assessment of your application. Sometimes, where we cannot confirm your details based on the information you initially provide us, we will request further documentation. For example, copies of identification documents or bank statements.
Lawful Bases: contract performance, legitimate interests (to enable us to verify your information)
(c) To assess applications for credit ► Whether you make an application for credit in your personal capacity, as the ultimate owner of a company, or through an enterprise, we will use your personal data for the purpose of assessing eligibility and affordability. To do this, we will:
(i) undertake checks against PEP (Politically Exposed Persons) Sanctions and AML (Anti Money Laundering) databases; and
(ii) utilise a credit referencing agency to undertake a credit check.
We will then combine the personal information you have provided to us with the results of these checks to assess you against our eligibility criteria. More information in relation to this process is set out at Profiling and Automated Decision Making.
Lawful Bases: contract performance, legitimate interests (to enable us to assess your eligibility and affordability prior to potentially issuing credit)
(d) In relation to fraud/crime prevention ► personal information we have collected from you will be shared with fraud prevention agencies that will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused finance, or your existing facility may be frozen, pending investigation. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by clicking here.
Lawful Bases: legitimate interests (to allow us to improve our services, products and business). Where personal data relating to criminal convictions or offences is processed, we will rely on substantial public interest (fraud prevention) or legal claims, as applicable.
(e) To undertake continuing checks and monitoring ► to monitor queries and transactions to ensure service quality and compliance with procedures.
Where we have made a loan, we will continue to check against your credit report, PEP, sanctions and/or anti-money-laundering databases on a periodic basis. We also undertake ongoing monitoring of your transactions, for fraud detection or crime prevention purposes. See Profiling and Automated Decision Making for more information.
Lawful Bases: legal obligations, legitimate interests (to ensure the quality of services, or to ensure that you fall within our acceptable risk profile and/or to assist with the prevention of crime and fraud). Where personal data relating to criminal convictions or offences is processed, we will rely on substantial public interest (fraud prevention) or legal claims, as applicable.
(f) To collect repayments ► We will generally collect loan repayments directly from you. We use GoCardless to process your direct debit payments. More information on how GoCardless processes your personal data and your data protection rights, including your right to object, is available at https://gocardless.com/legal/privacy/
Where you are late in making a scheduled payment, we may engage a collections agent to obtain repayment on our behalf. We have a process in place to assist individuals who are struggling to make repayments on their loan. If you have difficulties making payments under your credit agreement please contact us at your first opportunity by phone or by email as set out in “Contact Us”. You may also want to seek advice on what to do from an independent free advice agency such as the Citizens Advice Bureau.
Lawful Bases: Contract performance, legitimate interests (to recover sums owed to us in accordance with our agreement with you).
(g) To provide you with marketing materials ► to provide you with updates and offers, where you have chosen to receive these. We may also use your information for marketing products and services to you by post, email, SMS or phone and, where required by law, we will ask for your consent at the time we collect your data to conduct any of these types of marketing. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us as set out in “Contact Us”.
Lawful Basis: consent, legitimate interests (to offer you products and services that may be of interest to you)
(h) For research and development purposes ► to analyse your personal information in order to better understand your requirements, to better understand our business and develop our products and services. We may also share your information with social media providers, exclusively for purposes of market research, and only where you have provided consent to that social media provider to assist us with this research;
Lawful Bases: legitimate interests (to enable us to improve our services, products and business)
(i) Engagement with Enterprise Partners ► If you are provided a Capital on Tap Business Visa Card or a Capital on Tap Corporate MasterCard in collaboration with one of our Enterprise Partners, we may share your card transaction and usage data with that Enterprise Partner, depending on the contract that you have with them. We will make clear in your contract if your Capital on Tap Business Visa Card or a Capital on Tap Corporate MasterCard was issued in collaboration with one of our Enterprise Partners.
Lawful Bases: contract performance, legitimate interests (to allow us to deliver feature the features and enhancements associated with your account, as stated in our contract with you. You can find out more at: https://www.capitalontap.com/en/faq)
(j) Assignment of your debt ► Where a loan has been made, we may assign our rights and responsibilities under our agreement with you (the Running Account Credit Agreement) or the entity you represent, by means of an equitable assignment. This process is an important method to enable us to raise finance.
Where such an assignment is made, it will not adversely affect your rights under your agreement with us and your relationship will remain with us, as opposed to the assignee. It will not impact our processing of your personal data, although anonymised information relating to your loan will be provided to the assignee, ratings agencies, securitisation data repositories and financiers.
In some (very rare) circumstances, we may need to assign the debt in its entirety to the assignee, in which case the assignee will receive your personal information for the same purposes as we use it for. For more information, click here.
Lawful Bases: legitimate interests (to enable us to raise finance); contract performance (in relation to assignment).
(k) To inform you of changes ► to notify you about changes to our services and products;
Lawful Bases: legitimate interests (to notify you about changes to our service)
(l) To ensure website content is relevant ► to ensure that content from our Website is presented in the most effective manner for you and for your device, which may include passing your data to business partners, suppliers and/or service providers;
Lawful Bases: legitimate interests (to allow us to provide you with the content and services on our Website)
(m) To reorganise or make changes to our business ► in the event that we: (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organisation, we may need to transfer some or all of your personal information to the relevant third party (or its advisors) as part of any due diligence process for the purpose of analysing any proposed sale or re-organisation. We may also need to transfer your personal information to that re-organised entity or third party after the sale or reorganisation for them to use for the same purposes as set out in this policy.
Lawful Bases: legitimate interests (in order to allow us to change our business); contract performance (in relation to assignment)
(n) In connection with legal or regulatory obligations ► We may process your personal information to comply with our regulatory requirements or dialogue with regulators as applicable which may include disclosing your personal information to third parties, the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.
Lawful Bases: legal obligations, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities)
(o) (o) For other purposes ► From time to time, we may use your data in other ways from those described above, but we will let you know before doing so.
5 Profiling and Automated Decision Making
5.1 Our loan approval process relies on automated analysis of personal information provided by you in the application process, alongside that received from credit referencing agencies and fraud prevention agencies, to make the following decisions:
(a) eligibity – whether it is appropriate to offer you a loan;
(b) affordability – the maximum value of the loan (i.e., the credit limit); and
(c) the term of the loan.
5.2 We try to make lending decisions as quickly as possible. This is how our use of automated processing benefits our customers. However, in some circumstances, automated decisions are not appropriate. For example, you may have a credit history that does not squarely meet our criteria, and, where combined with other factors that improve your eligibility, may warrant further consideration. In these instances, we refer your application to an underwriter. The underwriter will undertake an objective review of your application and the automated decision may be revised in the event that the underwriter considers that lending may be appropriate.
5.3 Where a loan has been made, we will re-assess your credit score on a periodic basis to ensure whether the current level of lending remains appropriate and/or whether we may be able to offer you further credit. Where you have applied for a loan and been declined, we may also re-assess your credit score in the twelve month period following your application to check whether we are subsequently able to offer you credit based on new information.
5.4 In a small amount of cases, where there has been a decline in our appraisal of your credit we may reduce the loan offering accordingly. In the event of a significant default we may freeze or withdraw the loan facility to prevent any further borrowing and you will be informed.
5.5 We also undertake continuing checks to combat fraud. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. For more information on the anti-fraud measures adopted by us, click here.
5.6 This process may result in you not being able to complete a purchase using your Capital on Tap card. You may want to check your information, or try again using a different method of payment.
Transaction Authorisation and Monitoring
5.7 Where you request to draw down money into a bank account from your Capital on Tap account, checks will be done on your available balance to ensure that sufficient funds are available before authorising the transaction. We also undertake checks to combat fraud and financial crime. These checks may include automated transaction monitoring for fraud and financial crime prevention. See Profiling and Automated Decision Making. We reserve the right to restrict or decline draw downs where it is deemed that the request does not fit the permitted usage as defined in your Terms and Conditions.
5.8 This process may result in you not being able to complete a draw down or may result in us requesting additional information from you before allowing the draw down to be completed.
5.10 We and Valitor will also undertake checks to combat fraud and financial crime. These checks may include automated transaction monitoring for fraud and financial crime prevention. See Profiling and Automated Decision Making .
5.11 This process may result in you not being able to complete a purchase using your Capital on Tap card. You may want to check your payment information, or try again using a different method of payment.
Your rights relating to automated decisions
5.12 In relation to each of the instances of automated decision-making referred to above, you may request that we provide information about our methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime. However, generally in these circumstances we will verify (or request the relevant third party to verify) that the algorithm and source data are functioning as anticipated without error or bias.
6 Who we share your personal information with
6.2 In addition, we may disclose information about you:
(a) To the extent that we are required to do so by law;
(b) To counterparties, regulators and law enforcement agencies in connection with any legal proceedings or prospective legal proceedings, or in order to establish, exercise or defend our legal rights including providing information to others for the purposes of fraud prevention and reducing credit risk;
(c) To any third party who provided your details to us (for example, a broker) in connection with the outcome of your application; and
(d) (c)(d) To the purchaser or prospective purchaser of any business or asset which we are or are selling or contemplating selling.
7 Transmission, storage and security of your personal information
Security over the internet
7.1 No data transmission over the Internet or website can be guaranteed to be secure from intrusion. However, we maintain commercially reasonable physical, electronic and procedural safeguards to protect your personal information in accordance with data protection legislative requirements.
7.2 We will store all personal information you provide on our secure password and firewall protected servers. All electronic transactions you make to or receive from us on our website will be encrypted using SSL technology. SSL certificates meet the highest standard in internet security for website authentication.
7.3 All information you provide to us is stored on our or our subcontractors’ servers and accessed and used subject to our security policies and standards. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password with anyone.
Export outside the EEA
7.5 Where we transfer personal information from inside the European Economic Area (the EEA) to outside the EEA, we may be required to take specific additional measures to safeguard the relevant personal information. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal information to these jurisdictions. In countries which have not had these approvals (see the full list here http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm ), we will establish legal grounds justifying such transfer, such as EU Commission-approved model contractual clauses, or other legal grounds permitted by applicable legal requirements.
7.6 Please contact us as set out in the “Contact Us” section below if you would like to see a copy of the specific safeguards applied to the export of your personal information.
7.7 Our retention periods for personal data are based on business needs and legal requirements. We retain personal data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, we may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When personal data is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the data.
7.8 You have rights in relation to the retention and use of your data as set out in the “Your Rights” section below.
8 Your rights & contacting us
8.1 We will use reasonable endeavours to ensure that your personal information is accurate. In order to assist us with this, you should notify us of any changes to the personal information that you have provided to us by contacting us as set out in the “Contact Us” section below .
8.2 If you have any questions in relation to our use of your personal information, you should first contact us as per the “Contact Us” section below. Under certain conditions, you may have the right to require us to:
(a) provide you with further details on the use we make of your information;
(b) provide you with a copy of information that you have provided to us;
(c) update any inaccuracies in the personal information we hold (please see paragraph 5.2);
(d) delete any personal information the we no longer have a lawful ground to use;
(e) where processing is based on consent, to withdraw your consent so that we stop that particular processing;
(f) to ask us to transmit the personal data you have provided to us and we still hold about you to a third party;
(g) object to any automated decision making or processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and
(h) restrict how we use your information whilst a complaint is being investigated.
8.3 Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). If you exercise any of these rights we will check your entitlement and respond in most cases within a month.
8.4 If you are not satisfied with our use of your personal information or our response to any exercise of these rights you have the right to complain to the Information Commissioner’s Office:https://ico.org.uk/concerns/
8.5 You have the right to ask us not to process your personal information for marketing purposes at any time. You can exercise your right to opt out of such processing by editing your preferences in your customer portal or by filling in this form at any time: https://www.capitalontap.com/en/optout
If you are a sole trader or an unincorporated partnership with less than four partners, you should read the following, FCA required risk warning:
Warning: Late payment can cause you serious money problems. For help, go to www.moneyadviceservice.org.uk.
9 Cookies policy
9.1 You can read our full cookies policy here: https://www.capitalontap.com/en/cookies .
Annex 1: Lawful bases
Use of personal information under EU data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the grounds in respect of each use in this policy. We note the grounds we use to justify each use of your information next to the use in the “Uses of your personal information” section of this policy.
These are the principal legal grounds that justify our use of your personal data:
Consent : where you have consented to our use of your information (you will have been presented with a consent form in relation to any such use and may withdraw your consent by editing your preferences on your customer portal or by following this link: https://www.capitalontap.com/en/optout
Contract performance : where your information is necessary to enter into or perform our contract with you.
Legal obligation : where we need to use your information to comply with our legal obligations.
Legitimate interests : where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
In determining that the use of your information is necessary to achieve a legitimate interest of ours, we have taken into account your data protection rights. If you have any questions about the assessment we have made in order to rely on this legal basis, please contact us using the details set out in the “Contact us” section.
These are the principal Lawful Bases that justify our potential processing of personal data relating to criminal offences and convictions:
Substantial Public Interest: to prevent fraud
Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, or a third party.
Annex 2: Processing for fraud prevention and detection purposes
1.1 Before we provide our services to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
1.2 The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
1.3 We, fraud prevention and debt collection agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
1.4 We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
1.5 Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
1.6 As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us at firstname.lastname@example.org.
Consequences of processing
1.7 As a consequence of processing, if we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.
1.8 A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on email@example.com.
1.9 Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Annex 3: Processing for credit referencing purposes
1.1 In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”). We may also make periodic searches at CRAs to manage your account with us.
1.2 To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
1.3 We will use this information to:
(a) Assess your creditworthiness and whether you can afford to take the product;
(b) Verify the accuracy of the data you have provided to us;
(c) Prevent criminal activity, fraud and money laundering;
(d) Manage your account(s);
(e) Trace and recover debts; and
(f) Ensure any offers provided to you are appropriate to your circumstances.
1.4 We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
1.5 When CRAs receive a search from us, depending on the type of search, they may place a search footprint on your credit file that may be seen by other lenders.
1.6 If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
1.7 The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail here (clicking on any of the below links will take you to the same notice document):
Call Credit: https://www.callcredit.co.uk/crain
Annex 4: Third Parties
1.1 IT Services
(a) We use third party providers to:
(i) host our IT database;
(ii) send SMS communications;
(iii) share emails and documents;
(iv) provide phone, online chat and ticketing services;
(v) receive internet and telephone services;
(vi) provide internal reporting and data visualisation tools
(vii) receive internal instant messaging service;
(viii) transfer data;
1.2 Card Services
(a) We use third party providers to:
(i) process transactions; and
(ii) manufacture our cards
(a) We use third party providers to:
(i) provide us with prospect information;
(ii) confirm the accuracy of the entries within our marketing database;
(iii) advertise for us (often, we will use an aggregator or broker);
(iv) produce and post letters relating to our marketing campaigns; and
(v) In relation specifically to social media providers, identify a wider customer base to direct our marketing to
(a) We use third party providers to:
(i) help us recover debt; and
(ii) recover debt on our behalf
1.5 Payment Services
(a) We use third party providers to:
(i) process payment of Direct Debits;
(ii) process payment by Debit Cards; and
(iii) process payments made into customer bank accounts.
1.6 Data validation
(a) We use third party providers to:
(i) to verify customer details;
(ii) to verify business details; and
(iii) supply bank detail validation.
We use third party providers to administer our Out of Hours customer contact service
1.8 Brokers and partners
(a) We use third party providers to:
(i) refer us potential customers;
(ii) partner with us as part of our enterprise solution; and
(iii) integrate accountancy software platforms used by those applying for, and using, our products.