Clientele privacy policy

1. What Is The Purpose Of This Document?

​

At Evacrest Capital Limited we respect your privacy and are committed to complying with the UK’s Data Protection law and the UK General Data Protection Regulation (GDPR) for the protection of personal data, as well as the principles of data security in the configuration of our services.

​

This Privacy Policy will let you know how we will collect, process and protect your personal data. If this document is applicable to you then this document should be read in conjunction with our general Privacy Policy - Our Privacy documents can be viewed on our website at: www.evacrestcapital.co.uk/privacypolicy

​

The data controller is Evacrest Capital Limited. However, if you are approved for finance by one of our finance providers or are introduced to a vehicle for the supply of your requested sourced vehicle, in each case that entity will become the data controller.

 

When you approach Evacrest Capital Limited to engage in our brokerage services, we will ask your consent to collect and process your personal data. Failure to provide this consent and/or personal data may mean we will be unable to execute the contract and will result in termination of our services.

​

When engaging Evacrest Capital Limited’s brokerage services, you may need to disclose to us the following information:

​

• Title

• First name(s), surname or company name (including representation as the case may be)

• Residential address (street, street number, postal code, city and country/region)

• Email address

• Date of birth

• Telephone and mobile number

• Employment/company details (employer name, employer address, employment history)

• Monthly income and expenditure

• Bank details (account number, account holder and card number)

• VAT ID number (as the case may be)

 

Please note this is not an exhaustive list and different/further information may be requested from you.

​

2. How We Use Your Personal Data

​

We will only use your personal data when the law allows us to. The most common bases for processing your data are the following:

​

• The processing is necessary under a contract we have with you, or is necessary in order to enter into a contract with you;

• Where we need to comply with a legal obligation; or

• Where it is necessary for our legitimate interests;

• Because we have obtained your consent;

 

3. What Do We Mean By ‘Legitimate Interests’?

​

There are some processing activities which do not fall within other lawful bases (e.g. it’s not a legal obligation or contractual requirement) but are still necessary for a legitimate purpose that we are trying to achieve (such as sending you a letter about a new product). We can only rely on this lawful basis if it’s necessary to achieve a particular purpose and if we’ve balanced our interests against yours.

​

We have set out below a description of all the ways we plan to use your personal data, along with the lawful basis on which we will do so. We have also identified what our legitimate interests are where appropriate:

​

• Application details to conduct a creditworthiness assessment - To work out product eligibility as a required step of entering into a contract with you.

 

• Incoming payments - debit/credit card payments - Only if necessary under our contract with you

 

• Where you are a sole trader, beneficial owner, director or a guarantor, conducting personal credit, fraud and KYC checks - In order to enter into a contract with you and to comply with legal obligations

 

• Setting up, administering and managing our customers’ accounts - Necessary under our contract with you

 

• Marketing our products and services to you (which you can choose to opt-out from) - For our legitimate interests in the direct marketing of our products and services

 

• Credit Reference Agency checks - As a prerequisite of entering into a contract with you

​

• Fraud Prevention Agency checks - As a prerequisite of entering into a contract with you.

​

• Anti-Money Laundering checks & Electronic Identity Verification - To fulfil legal/regulatory obligations

 

• Complaints handling - To fulfil our legal/regulatory obligations

 

• Arrears management (including the instruction of third parties) - Necessary under our contract with you

 

• Targeted advertising service - For our legitimate interests to define types of customers for our products and services

 

• Monitor, record, store and use of any telephone, email or other electronic communications with you - For our legitimate interests to check any instructions given to us, respond to complainants and for staff training purposes

​

• Audit purposes - To comply with legal obligations

​

• Undertaking market research and statistical analysis, including analysing your use of our website. This allows us to develop new, or improve existing, products and services (as is necessary for our legitimate interests)

​

• Third party checks - Such as due diligence checks by Vehicle suppliers (dealerships) - To fulfil legal/regulatory obligations

​

In some instances, we may use your data in ways that are not described above. However, we will inform you before doing so.

 

4. The Data We Collect About You (From Third Parties)

​

We may receive personal data about you from third parties under the following circumstances:

​

• If you are the borrower, or main guarantor for your company, receive information about your financial standing (including your credit score and repayment history) and address history from credit reference agencies. We will also receive information from fraud agencies on any fraudulent activity reported by other financial institutions (this will include instances in which you were a victim of fraud);

​

• If you are an additional guarantor, your name, date of birth and contact details would have been provided to us by the main guarantor. We will also collect the information listed above from credit reference and fraud agencies;

​

• If you are a director or beneficial owner of one of our customers, your name, date of birth and address will have been provided to us by the main guarantor;

​

• If you are financially associated with a borrower or guarantor (via a joint bank account or mortgage, for example), we will also receive information about your financial standing from the credit reference agencies; and

​

• We obtain marketing data from third party generators. If your business is included in this data, it may also include your name and contact details.

​

 

5. Credit Reference Agencies

​

In order to process your finance application (or an application for a credit facility which you will guarantee), us and/or the finance provider will perform credit and identity checks on you with one or more credit reference agencies (Equifax and Experian).

To do this your name, date of birth and address history will be supplied to the credit reference agencies and they will provide information about you. Credit reference agencies will supply both public (including electoral register) and shared credit, financial situation, financial history, and fraud prevention information.

​

This information will be used to:

​

• Assess your creditworthiness and whether your business can afford to take the product;

• Verify the accuracy of the data you have provided us;

• Prevent criminal activity, fraud and money laundering;

• Trace and recover debts; and

• Ensure any quotations we provide are appropriate to you and your business’ circumstances.

 

In utilising the data held with credit reference agencies, we must abide by the Principles of Reciprocity by contributing the same level of credit performance data that we receive.

When credit reference agencies receive a search from us they will place a search footprint on your credit file that may be seen by other finance providers.

​

If you are a joint applicant or if you have told us of some other financial association with another person, or a director of a firm which is applying for a facility, you are declaring that you are entitled to:

 

• Disclose information about your joint applicant, fellow directors and anyone else referred to by you.

• Authorise us to search, link or record information at credit reference agencies about you and anyone else referred to by you.

 

The credit reference agency will use a credit scoring system when assessing your application. They will also add to your record details of any finance agreement you enter into,

specifically the payments you make under it, any default or failure to keep to its terms and any change of address you fail to tell your finance provider about where a repayment is overdue. 

These records will be shared with other organisations and will be used to help make decisions about credit and credit related services such as insurance for you and members of your household, trace debtors, recover debt and to manage your accounts.

 

Finance providers and the credit reference agencies will also use the records for statistical analysis about credit.

​

The identities of the credit reference agencies, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share information, data retention periods and your data protection rights with the credit reference agencies are explained in the Credit Reference Agency Information Notice (“CRAIN”).

​

The CRAIN document is accessible from each of the two credit reference agencies we utilise, or by clicking on each of these two links:

• Equifax 

• Experian 

​

You have a legal right to know the details of credit reference and fraud prevention agencies that are used and to whom your information is passed to. To obtain this information, please contact us using our contact details below. If you have entered into a finance agreement with one of our finance providers please contact them directly for further information

 

6. Fraud prevention agencies

​

Before financing can be provided to your business, checks are undertaken for the purposes of preventing fraud and money laundering, and to verify the identity of the guarantors. These checks require personal data to be processed about you if you are a guarantor.

​

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity. For example when:

 

• Checking details on applications for credit and credit related or other facilities

• Managing credit and credit related accounts or facilities

• Recovering debt

• Checking details on proposals and claims for all types of insurance

• Checking details of job applicants and employees

 

Details of the personal information that will be processed can include, for example: name, address, date of birth, contact details, financial information, employment details and device identifiers including IP address.

​

Evacrest Capital Limited, Finance providers and fraud prevention agencies may also enable enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

​

Evacrest Capital Limited and our finance providers process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our businesses and to comply with laws that apply to us. Such processing is also a contractual requirement of the financing your business has requested.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

​

If Evacrest Capital Limited, a finance provider or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.

​

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details below.

​

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

​

we utilise yoti to perform identification checks; address verification and aml screening checks - to view their privacy policy please click here.

 

 

7. Who We Share Your Personal Data With

​

In addition to the credit reference and fraud prevention agencies described above, we may also share your personal data with the following third party data processors who will assist us in providing our services to you:

​

• Vehicle Dealerships & manufacturers - Information about you and your business in order to establish the formal introduction to order and supply your requested vehicle

​

• Finance Providers & other brokers - Information about you and your business (and other information in support of your application) and to generate your finance agreement

​

• Solicitors and Accountants - Information about you and your business because it is necessary for performance of a contract with you; (2) because it is a legal obligation upon us;

​

• Providers of software platforms (such services will include email, data analytics, identify verification, lead management, hosting and data storage);

​

• Outsourced service providers (including marketing, optimisation, personalisation and e-signature providers) who process some of our applications and help us make fast decisions;

​

• Providers of telecommunications and postal services; 

​

• Social media sites, for the purposes of conducting market research and running marketing campaigns (it is important to note that, when sharing data with these sites, we ensure that your data is only used in accordance with our instructions); and

 

• Regulators and law enforcement agencies, including the police, the Financial Conduct Authority or any other relevant authority who may have jurisdiction (as is necessary for compliance with our legal obligations).

 

We may instruct third parties to act on our behalf in order to collect an outstanding debt. This can include debt collectors, lawyers, tracing agents, process servers and enforcement officers.

​

Some of these third parties may also be considered a data controller in respect of holding your personal data. In these cases, we can provide you with the privacy statements of those parties on request.

​

We will only disclose your information to others when:

​

• You have given us your consent to do so

• It is necessary for the performance of an agreement of which you will be made aware

• In order to obtain professional advice (e.g. legal advice)

• We or others need to investigate or prevent crime (e.g. to fraud prevention agencies)

• The law permits or requires it

• Regulatory or governmental body requests or requires it, even without your consent; or

• There is a duty to the public to reveal the information

 

8. International Transfers

​

Some of the data processors we use are outside the EU, or may host your personal data outside the EU.

​

Whenever we transfer your personal data out of the EU, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

​

• Your personal data is transferred to a country that has been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;

​

• Where we use certain service providers, we may use specific contracts approved by the European Commission which gives your personal data the same protection it has in the EU. For further details, see European Commission: Model contracts for the transfer of personal data to third countries;

​

• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield; and

​

• Some of our providers will have binding corporate rules in place, see European Commission: Binding Corporate Rules.

 

Please contact us if you would like further information on the specific mechanism used by us when transferring your personal data out of the EU.

 

 

9. Automated Decisions

​

Our ‘soft check’ credit facility; identification and address verification software; AML screening software; finance software, and finance providers themselves may also automatically generate quotations and decide: Whether or not to lend to you or your business, how much to lend, at what interest rate and under what terms.

​

You have rights in relation to automated decision making, such as the right to request human intervention or challenge a decision in certain circumstances. If you would like to know more, please contact us using our contact details below.

 

 

10. How Long We Will Retain Your Data For

​

The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested deletion of the data, and whether we have any legal or regulatory obligation to retain the data.

 

We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected. We will typically keep your data for up to 7 years after you made or started an application for finance or requested we source you a vehicle.

 

We keep your data for compliance with our general legal obligations and for the exercise or defence of any legal claims. We may keep your personal data for a longer period where it is necessary for legal, regulatory or operational purposes.

 

Where possible, Evacrest Capital Limited will take steps to erase any personal data that is no longer necessary for the purposes for which it is collected or otherwise processed; or if you have withdrawn consent for its processing and retention.

​

Under the GDPR, you have the right to ‘block’ or request the deletion or removal of personal data to prevent further processing. This right to erasure is also known as ‘the right to be forgotten’. Specific circumstances in which you can request the deletion or removal of personal data includes:

 

• Where the personal data is no longer necessary for the purposes for which it is collected or otherwise processed

​

• Where you withdraw consent

​

• When you object to the processing and there is no overriding legitimate interest for continuing the processing

​

• Where the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)

​

• Where the personal data has to be erased in order to comply with a legal obligation

​

• In case a deletion is not possible due to legal, statutory or contractual retention periods, or if it requires disproportionate efforts or prejudices your legitimate interests, the data will be blocked instead of deleted.

 

11. Your Legal Rights

​

You have rights under the data protection laws in relation to your personal data. We have included the links below to make it easy for you to find out more about these rights:

​

• The right to be informed 

• The right of access 

• The right to get your data corrected 

• The right to get your data deleted 

• The right to object to the use of your data 

• The right to limit how organisations use your data 

• The right to data portability 

​

Under GDPR these rights are extended and listed below:

​

• To obtain access to, and copies of, the personal information that we hold about you;

​

• To require that we cease processing your personal information if the processing is causing you damage or distress;

​

• To require us not to send you marketing communications.

​

• To require us to erase your personal information;

​

• To require us to restrict or object to our data processing activities;

​

• To receive from us the personal information we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal information to another data controller; and

​

• To require us to correct the personal information we hold about you if it is incorrect.

​

Please note that these rights may be limited by data protection legislation, and we may be entitled to refuse requests where exceptions apply.

​

Where the lawful basis for processing your personal data is your consent, then you will also have the right to withdraw your consent at any time. For further information on this please see our General Privacy Policy and customer Privacy Notice.

​

12. Protecting Your Privacy

​

In order to protect the personal data collected from you by Evacrest Capital Limited against accidental or deliberate manipulation, loss, destruction or the access of unauthorised persons, technical and organisational security measures are constantly improved as part of our technological development. In addition, our employees, finance providers, vehicle dealerships, service providers, subcontractors and all other support staff are obligated to observe confidentiality and data privacy. All Evacrest Capital Limited Partners implement strict privacy procedures in line with all laws and regulations.

​

Any access to your data that is stored at our company only takes place through an encrypted connection. By using the most up-to-date firewall systems, we provide the best possible protection for your data. Our website, as well as our internal Customer Management System (CMS) is encrypted using a SSL/TSL (Secure Sockets Layer/ Transport Layer Security) connection. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

 

13. Breaches

​

If at any time we become aware that your data has been compromised, or that a breach of our systems and controls has occurred, which has an impact on the security of your data, we will notify the Information Commissioner’s Office, and you, without undue delay.

 

14. Subject Access Requests

​

You have the right to request access to a copy of the personal information that we hold about you. This is also known as a ‘Subject Access Request’.

​

This information is provided to you free of charge however, we can refuse to respond or charge a ‘reasonable fee’ of £10 inc. VAT when a request is manifestly unfounded, excessive or repetitive.

​

We will provide this information in a structured, commonly used and machine readable form. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

​

If you would like to submit a Subject Access Request, please contact us using the contact details below.

​

We will respond to your request without delay and at the latest, within one month of receipt of your request.

 

15. Changes to the Privacy Policy

​

Due to the further development of our website, government regulations or the implementations of new technologies, this policy will be reviewed, and may change, from time to time.

​

Evacrest Capital Limited reserves the right to change this data protection information at any time with effect for the future. The revised policy will be posted to this page so that you are always aware of the information we collect, how we use it and under what circumstances we disclose it.

 

We therefore recommend you read the current data protection information again from time to time.

 

16. Contact Details and Complaints

​

If you have any questions about this privacy policy, or if you have a complaint about any aspect of data protection or if you feel your privacy has been breached by us, we would like to hear from you. To help us investigate and resolve your concerns as quickly as possible you can contact us in the following ways:

​

Email address: info@evacrestcapital.co.uk

​

Postal address: Client Care Team,

                                   Evacrest Capital Limited,

                                   71 - 75 Shelton Street,

                                   London,

                                   WC2H 9JQ

​

Evacrest Capital Limited’s ICO Data Protection Registration Number is: ZB089254

​

You have the right to make a complaint at any time. If you are unhappy with the final response you have received from Evacrest Capital Limited you can contact the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. You can call the ICO on 0303 123 1113 or visit their website: https://ico.org.uk/.

 

We would, however, appreciate the chance to address your concerns before you approach the ICO so please do contact us in the first instance.

 

 

17. Further Information

 

For further information please see our General Privacy Policy and customer Privacy Notice. If you would like a copy of our Complaints Policy you can find a copy on our website at: www.evacrestcapital.co.uk/complaints.

 

Please contact us if you would like to request a copy of any of the aforementioned policies or procedures.

​