Privacy Policy - Fiduciam

Introduction

This Privacy Policy (“Policy”) describes how Fiduciam Nominees Limited, registered under the Data Protection Act 2018 (Act) with the Information Commissioner’s Office under registration reference ZA155195, Fiduciam Services Limited, registered under the Data Protection Act 2018 (Act) with the Information Commissioner’s Office under registration reference ZA264098, and the other members of the Fiduciam Group (“Fiduciam” “we”, “us”, and “our”) collect, store and use Personal Data and/or other Confidential Data including information about borrowers, guarantors, brokers, intermediaries, sub-contractors, investors, clients, contacts, suppliers, employees and job applicants. Where the aforementioned are legal entities, we may collect, store and use information about their directors, shareholders and other beneficial owners.

This Policy intends to be an umbrella policy that shall be applicable to Fiduciam Nominees Limited, Fiduciam Services Limited and the other members of the Fiduciam Group in relation to their processing of Data in the context of their financing and direct lending activities, either as Data controllers or processors and in addition to any other potential policies applicable in any specific jurisdiction in which the Fiduciam Group operates.

This Policy is an important document. We recommend that you read it carefully and print and keep a copy for your future reference. When you instruct us, interact with us, or otherwise contact us, we will assume you agree to the uses of your Personal Data and Confidential Data described in this Policy according to the terms and conditions described herein.

Definitions

“Agreement” refers to a written document which sets out the terms and conditions of the engagement of/with a specific Fiduciam entity and which describes the services to be provided, including but not limited to a facility agreement, platform agreement, personal guarantee, non-disclosure agreement, engagement letter, security document, employment contract, etc. Such Agreement terms should be relied upon in determining liability for the services provided.

“Confidential Data” means non-public information relating to legal entities, assets, financial instruments, investments, activities, Agreements and which does not constitute Personal Data.

“Data” means Personal Data and Confidential Data.

“Fiduciam Group” means the following entities:

- - Fiduciam Services Limited, with registered head office at Josaron House, 5-7 John Prince’s Street, London, W1G 0JN, registered under the Data Protection Act 2018 (Act) with the Information Commissioner’s Office under registration reference ZA264098.Fiduciam Nominees Limited, with registered office at Josaron House, 5-7 John Prince’s Street, London, W1G 0JN, registered under the Data Protection Act 2018 (Act) with the Information Commissioner’s Office under registration reference ZA155195
  - Fiduciam España S.L., with registered office at Calle José Abascal 41, 28003, Madrid, Spain.
  - Fiduciam Services Limited Spain Branch, with registered office at Calle José Abascal 41, 28003, Madrid, Spain.
  - Fiduciam GmbH, with registered office at Platz der Einheit 2, 60327 Frankfurt am Main, registered at the Amtsgericht, Frankfurt am Main under HRB 114211, Germany.
  - Fiduciam Services Limited Ireland Branch, with registered office at 31-36 Ormond Quay Upper, Dublin 7, Dublin D07 EE37.
  - Fiduciam Services Limited Luxembourg Branch, with registered office at 5 Place de la Gare, Luxembourg, L1616, Luxembourg.
  - Fiduciam Limited, with registered office at Albert House, South Esplanade, St Peter Port, Guernsey, GY1 1AW, and registered under the Data Protection (Bailiwick of Guernsey) Law, 2017 with the Information Office of the Data Protection Commissioner under registration reference 50241.

“Personal Data” means any information relating to an identified or identifiable natural person.

“you” and “your” (and other similar terms) refer to our borrowers, guarantors, brokers, intermediaries, sub-contractors, investors, clients, contacts, suppliers, funding partners, directors, shareholders and ultimate beneficial owners where the aforementioned are legal entities, employees, job applicants and website visitors.

Our Principles

We are aware of our obligations under the European General Data Protection Regulation as amended (the GDPR), and the Data Protection Act 2018 as amended (the DPA), and shall always ensure that your Personal Data is processed in accordance with the following principles:

- - that Personal Data is processed lawfully and in a transparent manner;
  - that Personal Data will only be processed for the purposes for which it was collected;
  - that Personal Data we hold will be relevant and limited to the purpose for which they were processed;
  - that Personal Data will be processed accurately and where relevant be kept up to date;
  - that Personal Data will be kept no longer than is necessary (in our reasonable opinion); and
  - that Personal Data and Confidential Data shall be adequately secured and protected against loss, unauthorised access or processing, and destruction or damage.

Your rights

You are entitled to a number of rights in relation to the Personal Data that we hold about you. You have the following rights in respect of your Personal Data:

- - to obtain access to your Personal Data;
  - to request us to rectify, supplement and update your Personal Data;
  - to the right to obtain information about the existence and processing of your Personal Data and to be informed of the contents and origin;
  - to object to us processing your Personal Data unless we have legitimate reasons (other than use simply based on your consent) to process your Personal Data;
  - in some cases, to have the processing of your personal data restricted (for example, where you contest the accuracy of your personal data, it may be restricted until the accuracy is verified, or where the processing is unlawful but you object to it being deleted and request that it is restricted instead);
  - to request us to erase your Personal Data unless we hold your Personal Data for legitimate reasons (other than simply based on your consent);
  - to object to us transmitting your Personal Data to another data controller unless such transmission is for legitimate reasons;
  - not to be subject to a decision which is based solely on automated processing, including profiling which would have an adverse impact on your situation;
  - in some cases, to receive, move, copy or transfer your personal data to a controller which is also known as ‘data portability’, which applies to personal data you have given us if we are processing your personal data based on consent or the contract we have or had with you, and the processing is carried out by automated means;
  - where you granted us consent to collect and process your Personal Data, to withdraw such consent at any time you wish; and
  - to file a complaint with us and with the Information Commissioner’s Office or the data protection authority of your country of residence.

Please note that aforementioned rights are curtailed in following instances:

- - where your Personal Data are provided to us by a third-party data controller we may not be able to share them with you, rectify them and erase them, and in such circumstances we will refer you to such third-party data controller;
  - where we have a legitimate reason to hold your Personal Data, we cannot be obliged to stop processing and transmitting or to erase such Personal Data; and
  - where the exercise of any of the above rights would cause us to be in breach of the law or regulations (for instance in the case of anti-money laundering).

How long we will keep your Personal Data

We will hold your Personal Data for as long as the purpose exists increased by any minimum or statutory period as prescribed by any applicable law, regulations and regulatory guidance applicable to any jurisdiction in which Fiduciam or the Fiduciam Group operates. As of the date of this Policy, this means that we will keep:

- - Personal Data relating to our anti-money laundering and other regulatory obligations, which may be retained for up to a period of 10 years after the cessation of the business relationship;
  - Personal Data relating to any mortgage or other interest in land, property or other assets for a period of 12 years after the end of that mortgage or interest or the cessation of any claim in relation to them (whichever is longer); and
  - Personal Data relating to any other contract for a period of 6 years after the end of the contract or the cessation of any claim in relation to it (whichever is longer).

Prior to erasing the Personal Data, we may ask your consent to hold the Personal Data for a longer period if you may wish to obtain loans from us in the future. Furthermore, we may hold Personal Data beyond the aforementioned time limits without your consent in case of a commercial dispute, ongoing litigation or investigation. Call recordings may be retained for shorter periods of time than the timeframes described above depending on the storage terms agreed with the relevant call recording platform. As of the date of this Policy, call recordings will be retained for a period of 90 days after which they are automatically deleted.

What Personal Data and other Confidential Data do we collect?

From our initial contact with you through to providing you with our services or working together in other ways, we may collect various data (including Personal Data) about you and/or the company on behalf of which you act. We may collect, store and use the following data:

- - Information you provide us with. You may give us information about you by filling in forms or by corresponding with us by phone, e-mail, over the internet, during meetings or otherwise. This also includes information you provide when you register with us. The information you give us may include your name, address, e-mail address, phone number, date of birth, nationality, passport or national ID number and expiry date, marital status, tax identification number, employment details, bank details, passwords, financial information, corporate information, financial income, personal assets and liabilities, bankruptcy history, court judgements, sensitive information such as medical information credit history, references, credit reports, track record and CV, business plans, project descriptions, trading performance, shareholders, directors, partners and beneficial owners, correspondence, etc.
  - Information from third parties. We may obtain information about you (the reasons for which include but are not limited to: verifying the accuracy of the information you have provided to us, to better assessing any potential credit risks, complying with our regulatory obligations such as in respect of preventing money laundering or tax evasion, preventing fraud, complying with our tax reporting obligations, and monitoring the loan performance) from third parties such as fraud prevention agencies, credit agencies, banks, public authorities, tax authorities, employers, referees, insolvency practitioners, debt advisors, tracing agents, accountants, RICS surveyors, intermediaries and brokers, consultants, commercial databases, the publicly available electoral register, publicly available information sources, other lenders, etc.
  - Information from technical sources. We may obtain information about you by web scraping, algorithmic models, cookies and tracking (IP address and URL clickstream). To know more about the use of cookies and similar technologies. Please refer to our Cookie Policy here.
  - Information we generate about you, such as payment records, credit and risk opinions, contact history, communication monitoring and activity on our websites.

How will we use Personal Data and other Confidential Data?

The ways in which we may use your Personal Data and other Confidential Data necessarily depends on the relationship you have with us. The list below (non-exhaustive) sets out the purposes for which we use your Personal Data and other Confidential Data, the principal categories of personal data processed and the applicable lawful bases:

Purpose	Data categories	Legal basis
For contact and communication purposes as well as to manage our business contacts.	Identification and contact Data.	The adoption of precontractual measures and performance of a contract. Our legitimate interest in maintaining commercial relationship with our business contacts.
To provide our services, which may involve: understanding your financial needs and interests; assessing your loan application and credit profile; better understanding your financial objectives; evaluating your business track record; evaluating your capacity to service the loan; evaluating your business model; opening and maintaining accounts; evaluating your capacity to service the loan; evaluating your guarantees; and understanding your overall financial and business situation, as well as your credit track record and reputation.	Identification, contact, financial, business, loan, loan security, investment portfolio composition and transactional Data.	Performance of a contract. Compliance with a legal obligation. Our legitimate interest in evaluating the capacity of our customers before approving a loan.
To deal with suppliers, advisers, intermediaries and other professional experts, to manage internal administrative purposes which relate to the services Fiduciam offers to you, and to allow audits to be performed.	Identification, contact, financial, business, loan, security, investment portfolio composition and transactional Data.	Performance of a contract. Compliance with a legal obligation.
To comply with our legal, regulatory and internal obligations, which include: anti-money laundering, counter- terrorist financing and anti-bribery regulations; know-your-customer due diligences and practices; tax, reporting and withholding obligations; and obligations to share loan and loan performance data.	Identification, contact, financial, business, loan, security and transactional Data.	Compliance with a legal obligation. Our legitimate interest in protecting the company against fraudulent practices.
To purchase, collect and recover debt, to collect Fiduciam’s fees, to recover costs, to make and receive payments, to service loans, to enforce loan provisions, to trace you in the case of a default, and to enforce on the loan security and/or your personal guarantee.	Identification, contact, financial, business, loan, security and transactional Data.	Performance of a contract. Our legitimate interest in managing debt, fees, and costs, enforcing contractual loan terms and exercising rights in respect of security.
To prevent fraud and to apprehend and prosecute offenders.	Identification, contact, financial, loan, security and transactional Data.	Compliance with a legal obligation. Our legitimate interest in protecting the company against fraudulent practices.
To take underwriting decisions on loans and value any loan security; to enable us to act as principal for any financial transaction including mortgage loans; and to make cross-verification to reduce risk.	Identification, contact, financial, business, loan, security, investment portfolio composition and transactional Data.	Performance of a contract Our legitimate interest in evaluating the risks involved in granting a loan, the recovery potential in case of a default of the loan and the nature of the borrower and/or sponsor.
To enable our funding partners to finance our loans, which may involve: assessing the eligibility of our funding partners to join our platform; providing loan participations to our funding partners; enabling the assessment of credit risk and transactional terms and conditions by the funding partners; to comply with the information standards imposed by the Loan Market Association in respect of loan sub- participations; and to assist funding partners with their loan participations.	Identification, contact, financial, business, loan, security, investment portfolio composition and transactional Data.	The adoption of precontractual measures. Performance of a contract.
To enable third parties to perform loan servicing, including on a standby basis, which may involve: providing information about certain investors and borrowers; and making available information about specific loan transactions.	Identification, financial, business, loan, security, investment portfolio composition and transactional Data.	Performance of a contract.
To obtain insurance, which may involve: providing information to obtain insurance policies; and informing the insurance providers of potential claims.	Identification, financial, business, loan, security, investment portfolio composition and transactional Data.	Performance of a contract. Our legitimate interest in arranging and/or obtaining appropriate insurance.
For recruitment and selection purposes and to support and manage our staff.	Identification, contact, national insurance, fiscal, medical and academic Data	Compliance with a legal obligation. Performance of the employment contract. Our legitimate interest in ensuring the integrity and appropriateness of staff.
For statistical analysis and improving our website.	Technical Data and online identifiers.	Our legitimate interest in analysing our services to improve them.
To handle complaints and enquiries.	Identification and contact Data	Performance of a contract. Our legitimate interest in dealing with complaints and enquiries.
To promote our services.	Contact Data.	Your consent (unless we have determined that it is appropriate to use your contact Data for the relevant promotional purpose on the basis of our legitimate interests in promoting and growing our business).
To manage relationships with existing and prospective customers and funding partners and to analyse the performance of our services, our marketing activities and our internal processes.	Identification, contact, financial, business, loan, security, investment portfolio composition and transactional Data	Our legitimate interests in improving our commercial relationships with our business contacts, in developing and improving our services and internal processes, and in developing and improving our marketing activities Your consent, in cases where we have determined that legitimate interests is not the appropriate lawful basis in the circumstances.

Lawful basis

We are allowed to save and process your Personal Data on the following legal bases:

- - for the purposes of a contract;
  - to comply with a legal or regulatory obligation;
  - our legitimate interests; and
  - consent

Where we save and process your Personal Data for the purposes of a contract, these purposes include (but shall not be limited to):

- - the performance of the contractual arrangements with you, in particular the Agreements;
  - to adhere to our contractual obligations with our funding partners under the Loan Market Association sub-participation standards; to establish, exercise or defend our legal rights or for the purpose of legal proceedings; and
  - to comply with our contractual duties as a lender, security agent and trustee.

Where we save and process your Personal Data in order to comply with legal and regulatory obligations, these shall include (but not be limited to) all laws and regulations in respect of:

- - anti-money laundering;
  - counter terrorist financing;
  - anti bribery and corruption;
  - anti-tax evasion; and
  - to report to regulatory bodies and tax authorities.

Where we save and process your Personal Data for our legitimate interests, these shall include (but not be limited to):

- - the prevention of fraud;
  - to comply with our risk management, underwriting, loan servicing and other similar governance policies;
  - to report to regulatory bodies and tax authorities;
  - to keep a contact database; and
  - to develop and improve our service and the quality of our interactions with you.

For processing operations in respect of Personal Data based on our legitimate interests, we have carried out a legitimate interest assessment to ensure that our interests are not overridden by your interests or fundamental rights and freedoms; you can request this assessment via the contacts listed at the end of this Privacy Policy.

Where we save and process your Personal Data based on consent, this shall typically be for:

- - marketing purposes; and
  - promotional purposes;

(unless we have determined that our legitimate interest in promoting and growing our business is an appropriate basis for the processing in question and consent is not otherwise required by applicable law).

Potential borrowers: fraud prevention

If you are a potential borrower, you must be aware that it is a criminal offense to knowingly supply false information to obtain a loan.

Before we provide services or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process Personal Data.

The Personal Data you have provided, we have collected from you, or we have received from third parties, will be used to prevent fraud and money laundering, and to verify your identity. Where information is obtained from third parties, we shall ensure that at all times the source from which or the intermediary through which the information is provided can be disclosed to you.

Details of the Personal Data that will be processed, for example include name, date of birth, address, contact details, financial information, tax information, employment details, device identifiers including IP address and personal identifiers.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your Personal Data to detect, investigate and prevent crime.

We may run a search for similar loan applications you have made, as a potential borrower, to other lenders. If fraud is suspected, we may share relevant details with those lenders.

Information we share with fraud protection agencies may be used by other entities such as lenders making financial or credit-related decisions about you.

Your Personal Data may also be used to check against the existing open accounts with other lenders to prevent and/or detect fraud.

Fraud prevention agencies can hold your personal data for different periods of time.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.

Who else may have access to your Personal Data and other Confidential Data?

We may need to share your Personal Data and other Confidential Data with third parties:

- - Authorities, including tax authorities, and regulators as required by law or regulation.
  - Our affiliates and subsidiaries to provide ancillary services. These entities will act as data processors, applying documented instructions from the controller.
  - Fraud prevention organisations and companies, credit reporting agencies and companies, anti-money laundering database providers, and similar organisations.
  - Our business partners, external service providers and professional subcontractors such as solicitors, surveyors, valuers, accountants, auditors, insurance underwriters and companies, software and IT sub-contractors, debt collectors, receivers, administrators and professional intermediaries. These third parties will follow documented instructions from the controller when processing your personal data.
  - Our funding partners, funding vehicles, banks, and their service providers and professional subcontractors.

These third parties may keep a record of your Personal Data and the other Confidential Data. We impose contractual obligations on these third parties to protect your Personal Data and the other Confidential Data.

Where you have provided us with Personal Data about other people

Where you provide information about other people, e.g., information about directors, partners, members, shareholders, or beneficial owners other than yourself then you confirm that you have their consent to provide us with such information, that they have read, understood and agreed to the terms of this Policy, including how we may use such information.

Monitoring and audio and video recording

We may make audio recordings of business communications between you and our employees. and may engage in other types of recording or monitoring of communications between you and our employees.

By recording and/or monitoring, we mean listening to, recording of, taking and keeping records (as the case may be) of, calls, e-mail, text messages, social media messages and other communications. During meetings and calls, personal data such as names, contact details, and any information shared during interactions may be collected. Recording may consist of voice and/or video recordings as well as speech to text transcripts and may in some cases be used to create artificial intelligence (AI)-generated call summaries and other forms of data analysis. We use third party service providers for call recording and AI tools. As of the date of this Policy, our terms and conditions with third party providers of these services do not permit them to use personal data for AI training purposes.

The reasons for recording and/or monitoring include the following:

- - to establish and have a record of what we have discussed with you and actions agreed with you;
  - for quality assurance, staff training purposes and service improvements;
  - to prevent or detect fraud and/or other crimes;
  - for relationship management, transactional and compliance purposes; and
  - other purposes as permitted or required by law.

We will only ever conduct communications recording and monitoring in compliance with applicable law, and will at all times continue to protect the confidentiality of your communications in accordance with this Policy.

We will not generally require your consent where we record communications, except where your consent is required by applicable law. Other than where your consent is required by applicable law, communications recordings and monitoring, and the use transcripts of communications, call summaries and other technical outputs associated with communications recording, will generally be carried out on the basis of our legitimate interests, in connection with the purposes set out in the section entitled “How will we use Personal Data and other Confidential Data?” above, including to improve the management of relationships with existing and potential customers, funding partners and other business partners, and to analyse the performance of our services, our marketing activities and our internal processes.

Where the legal basis for recording and/or monitoring of communications between you and our employees is our legitimate interests, we will implement procedures designed to inform you of the fact that such communications may be recorded and may be monitored, including by way of publication of this privacy policy on our website; however, recording and/or monitoring may be carried out without any specific notice or warning at the start of each communication. You may at any time choose not to have communications recorded and/or not to permit the use of AI tools in connection with recordings and can communicate this to us in writing, by e-mail, or during a call with us. Where the legal basis for recording communications and using AI tools is your consent, you may withdraw such consent at any time you wish.

International transfers of Personal Data

As described above, from time to time, we may need to transfer your Personal Data to affiliates and third parties that may have offices that are located in territories outside of the UK and outside of the European Economic Area (“EEA”), in order to provide you with the services required.

Where we transfer your Personal Data to another country outside the UK or EEA, we will ensure that it is protected and transferred in compliance with our legal obligations. Transfers outside of the UK or EEA may be achieved in one of the following ways:

- - the country that we send the EEA data to is approved by the European Commission as offering an adequate level of protection for Personal Data;
  - the country that we send the UK data to is approved by the UK Government as offering an adequate level of protection for Personal Data
  - the recipient might have signed up to a contract based on “standard contractual clauses” approved by the European Commission or by the relevant UK authorities, as applicable, obliging them to protect your Personal Data; or
  - in other circumstances the law may permit us to otherwise transfer your Personal Data outside the UK or the EEA.

How we look after your Personal Data and other Confidential Data

We use a range of measures to keep your Personal Data safe and secure, which may include encryption and other forms of security. Fiduciam requires our staff and any third-party subcontractors to comply with appropriate data protection standards. Our employees receive periodic training in respect of data protection and must adhere to this Policy as well as our Data Protection Manual. Unauthorised use or disclosure of Personal Data or Confidential Data by an employee may result in disciplinary measures.

Personal Data and Confidential Data may be processed by either automated or manual methods. Automated decisions will only ever be made if they are necessary for us to fulfil our contractual obligations, for legal reasons, or if you have provided consent and such processing is allowed under EU or national laws applicable to us.

We have put in place appropriate technical and organisational security measures, such as confidentiality agreements, to protect your Personal Data and other Confidential Data against unauthorised or unlawful use, and against accidental loss, damage or destruction.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to or from our sites; any transmission is at your own risk.

Questions, concerns, complaints and exercising your rights

UK Privacy Rights

If you have any questions, concerns or complaints about this Policy, about how we collect, store and use Personal Data and Confidential Data, if you wish further information explaining with which fraud prevention agencies we work, how data held by fraud prevention agencies may be used, or to exercise your rights set out in this Policy, please e-mail us at:

E-mail: co********@*********co.uk.

Mail: Josaron House, 2nd Floor, 5-7 John Prince’s Street, London W1G 0JN

Telephone: +44 203 290 1933

Our Privacy Officer is the first point of contact for supervisory authorities, employees and customers. You also have the right to complain to the Information Commissioner’s Office in the UK (click here) if you are protected by the DPA.

European Economic Area Privacy Rights

Article 27 of the EU General Data Protection Regulation (EU GDPR) requires organizations that are not established in the European Union (EU) to designate a representative in the EU if they are subject to the EU GDPR.

Certain non-EU Fiduciam Group entities (in particular, Fiduciam Nominees Limited, Fiduciam Services Limited and Fiduciam Limited) may undertake processing activities to which the EU GDPR applies. For that reason, these entities have appointed Fiduciam Services Limited acting through its registered branch office in Ireland located at Clonmel House, Forster Way, Swords, Dublin, Ireland, K67 F2K3 (email: co********@******am.eu; telephone +353 (85) 2576488) as their representative in accordance with the EU GDPR to act on their behalf if, and when, they undertake data processing activities to which article 3(2) of the EU GDPR applies. Such appointment is not intended to be an acknowledgement that the EU GDPR is applicable to any of their processing activities.