ABOUT US AND WHO WE DO BUSINESS WITH
Primary Asset Finance Limited (PAF, we, us, our) is a specialist intermediary and consultant, which arranges debt finance solutions for business clients (Client(s)) sourced from funders for agreed purposes. Finance may be obtained for an array of purposes, both short and long term, however, PAF’s Clients are strictly businesses only, most typically Limited Companies. PAF does not operate in any FCA regulated areas and therefore does not arrange funding for individuals, sole traders and the like.
All PAF’s Clients are commercial businesses. As we interact with Clients, and any other third parties associated with these, including prospective funders, the vast majority of information we collect concerns the Client’s business operations. However, we will need to collect some personally identifiable information (Personal Data) relating to individual people connected with our Clients (Business Contact(s), you, your) that we need to contact.
We are registered with the Information Commissioner’s Office (ICO) as a data controller processing Personal Data for our business operations. Our registration number is ZA386525.
This Privacy Statement explains what Personal Data we collect, how we use/process it in our business operations, how we store and protect it, and for how long we keep it. It will also help you to understand what rights and choices you have relating to what we do with your Personal Data.
THE TYPES OF INFORMATION WE COLLECT
We collect and process Personal Data to enable us to conduct our activities and business operations for the benefit of our Clients.
We use publicly available sources to identify organisations, or private individuals, whose interests may align with ours. We will contact them by direct marketing to see if they would consider using our services and to identify appropriate Business Contacts.
The information we collect relating to Business Contacts includes Personal Data such as:
- Employer name;
- Job title;
- Phone number(s), email address(es);
- Other business related details;
- Home address;
- Date of birth;
- Financial information (where needed to perform our services).
Generally the information is obtained from:
- Third parties connected with Clients;
- Sources that Clients or you have authorised us to obtain information from;
- Public sources (e.g. Client promotional material, professional networks, and media).
In addition, we may collect data from emails received (sender name, recipient name, date and time) and calendar systems (organiser name, participant name, date and time of event) concerning interactions between PAF and senders or third parties.
We also collect information during meetings with you, Clients or thirds parties connected with Clients.
This is information that we would be reasonably expected to obtain and store for businesses purposes.
We would not hold any Special Category data on you unless you had given us your explicit consent to do so.
WHAT WE NEED FROM ANYONE ACTING ON THE CLIENT’S BEHALF
Anyone acting on the Client’s behalf providing us with information on:
- The Client’s business; must ensure they have the Client’s authority to do so;
- Any individual connected to the Client’s business; must ensure they have the individual’s authority to do so.
HOW WE USE/PROCESS THIS INFORMATION
We will use Client information and information about you for purposes including:
|To make sure our marketing is relevant for recipients.||Identifying contacts within an organisation or private individuals who might have an interest in our business activities.||Our legitimate interest. Recipients would have a reasonable expectation of our doing this. The limited amount of information held for a Business Contact(s) presents negligible risk of harm to the individual.|
|To ensure that our Contacts List database is accurate.||To maintain an up-to-date Contacts List.||Our legal obligations under data protection laws. Data Subjects would have a reasonable expectation of our doing this.|
|To undertake initial direct marketing and subsequent marketing campaigns.||To provide Clients/Business Contacts information about our services.||Our legitimate interest. Business Contacts would have a reasonable expectation of our doing this.|
|To conduct market research surveys.||We will obtain explicit consent for some communication channels and/or Special Category Data should it be required. Any Business Contact can choose to stop receiving our messages at any time using the various opt-out or unsubscribe methods we publicise in the messages issued.|
|Maintaining suppression lists.||To meet your request to exercise your right to erasure (to be forgotten).||Our legitimate interest in being able to comply with the Business Contact’s right to be forgotten.|
|Administering, managing and developing our business activities.||To help us run and manage our business efficiently and understand how we can improve our activities (e.g. feedback surveys).||Our legitimate interest. Business Contacts would have a reasonable expectation of our doing this.|
|Providing information to existing Clients/Business Contacts about changes in our activities.|
|To also use information in aggregate form (so that no individual Client/Business Contact is identified by name) to build up marketing profiles and aid strategic development.|
|To deliver our activities and services to Clients.||To carry out the actions necessary to meet the Client’s project/contract objectives.||To perform our contract with our Clients or suppliers. Business Contacts would have a reasonable expectation of our doing this.|
|To maintain records to confirm or evidence the outcome of activities.|
|To respond to enquiries, requests or complaints.||To be able to respond appropriately and keep records of the correspondence.||Our legitimate interest. To perform our contract with our Client or suppliers Business Contacts would have a reasonable expectation of our doing this.|
|To administer employee or member records.||To run our business efficiently within legal requirements and to keep appropriate records.||Our legal obligations and our legitimate interests. All Data Subjects would have a reasonable expectation of our doing this.|
|To meet any regulatory or legal requirements.||These can vary dependent upon the Client’s project or any changes in future legal or regulatory requirements.||Our legal obligations (including requests from regulators). To perform our contract with our Client and our legitimate interest.|
We take measures to protect the information we hold from unauthorised or unlawful processing, accidental loss, destruction, damage or disclosure, and we will do our utmost to keep it secure.
We do not sell or otherwise release information to third parties for the purpose of allowing them to market their products and services without explicit consent from Clients, or you to do so.
If you have any concerns about the processing of your information, you have the right to object to processing that is based on our legitimate interests. For more information on your rights, please see the “Explaining your rights” section below.
Please bear in mind that an objection by you may affect our ability to carry out the tasks above for the individual or the Client’s benefit.
HOW WE STORE YOUR INFORMATION
Like most businesses and individuals, we store information on our own devices (PC/server/laptop/tablet/phone) and use cloud service providers for back-up services, remote access by authorised users and collaborative work, and for hosting email, CRM and website services.
WHO WE SHARE YOUR INFORMATION WITH
We may share your information with you or other organisations in any of the following situations:
- If you have given us explicit consent to do so.
- If we sell or buy any business or assets (as we may share your data with the prospective seller or buyer).
- If we, or substantially all of our assets, are acquired by another party, in which case your information will be one of the transferred assets.
- With service providers, business partners, suppliers, sub-contractors for the performance of any contract we enter with them or you.
- If we have to share your information to comply with legal or regulatory requirements, or to protect our rights, property or our Clients. This may involve exchanging information with other organisations for the purposes of preventing financial crime.
TRANSFER OF INFORMATION OUTSIDE THE UK
The information may be processed by our service providers at a destination outside the UK. We use well-known service providers (e.g. Dropbox, Pipedrive) who are fully aware of the need to satisfy the relevant data protection legislation for the UK, EEA and the USA. If you do not want your information to be transferred to or stored outside the UK, please contact us to let us know using the contact details in the “Contact Us” section at the end of this Privacy Statement.
HOW WE PROTECT DATA
Whilst we consider the amount, nature, and sensitivity of the Personal Data we hold to have a very low level of potential risk of harm from unauthorised or unlawful processing, accidental loss, destruction, damage or disclosure, we will do our utmost to keep it secure.
We have put in place security measures to deal with any suspected breach of security (e.g. Access security protocols, firewalls, encryption transmission).
We will notify you and any applicable regulator of a breach where we are legally required to do so.
HOW LONG WE KEEP INFORMATION
Business Contact’s Personal Data will be kept for as long as we have, or need to keep a record of, a relationship with the Client, or as required by applicable law or regulation. However, we would expect to replace your contact details in our Contacts List with your successor’s details.
In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 8 years. However, this may be extended from time to time depending on the specific requirements and/or finance facility delivered to a Client. Our destruction/archiving period is scheduled during April-June annually.
We consider the amount, nature, and sensitivity of the Personal Data we hold to have a very low level of potential risk of harm to you from unauthorised use or disclosure.
EXPLAINING YOUR RIGHTS
Data protection law gives you the following rights:
Withdraw consent: Where we are using your Personal Data on the basis of your consent, you have the right to withdraw that consent at any time.
Right to be informed: You have the right to be told how your Personal Data will be used. This Privacy Statement, and shorter summary statements used on our communications, are intended to be a clear and transparent description of how your data may be used.
Right of access: You can write to us asking what information we hold on you and to request a copy of that information. This is called a Subject Access Request. From 25th May 2018 we will have 30 days to respond to you once we are satisfied you have rights to see the requested records and we have successfully confirmed your identity. Details on how to submit a Subject Access Request can be made available by emailing email@example.com.
Right of erasure: You have the right to be forgotten (i.e. to have your Personal Data deleted). However, we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you. In some cases, we may supress you from future communications, rather than data deletion.
Right of rectification: If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. This enables you to have any incomplete or inaccurate information we hold about you corrected. We may need to verify the accuracy of the new data provided to us.
Right to restrict processing: In certain situations you have the right to ask for processing of your Personal Data to be restricted because there is some disagreement about its accuracy or legitimate usage.
Right to data portability: Where we are processing your Personal Data under your consent, the law allows you to request data portability from us to another service provider. As this right only applies where we use the information to perform a contract, or service with you this will not apply to most of our Business Contacts.
Right to object: You have an absolute right to stop the processing of your Personal Data for direct marketing purposes. Simply contact using the details shown in the “Contact Us” section at the end of this Privacy Statement.
Right to object to automated decisions: In a situation where a data controller is using your Personal Data in a computerised model or algorithm to make decisions “that have a legal effect on you”, you have the right to object. However, we do not undertake this type of processing.
EXPLAINING OUR RIGHTS
- If you do not agree to our keeping records of information about you, or if you do not allow us to use the information in the way we need, then we may not be able to deliver our services.
- We can move our records between our computers and IT systems, as long as your details are protected from being seen by others without your permission.
If, for any reason, you have a complaint, please contact Neil Taylor, who is responsible for data protection matters, to discuss your concerns.
Following this, if you are still dissatisfied, you are able to contact the Information Commissioner’s Office directly at the contact details below.
Information Commissioner: Contact telephone: 0303 123 1113. Website: ICO website https://ico.org.uk/.
CHANGES TO THIS STATEMENT
Any changes we may make to our Privacy Statement in the future will be posted on this page. You should read the new terms and exercise your rights as described in the statement if you object to the changes.
If you have any queries about this Privacy Statement, please contact us using any of the below:
- Email: firstname.lastname@example.org
- Phone: 01763 299473
- Post: 5 The Courtyard, Alswick, Buntingford, Hertfordshire, SG09 0AA