1. Purpose of this Privacy Policy

mcl finance respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share and protect your personal information when you apply for finance, use our services, or interact with us.

In this Privacy Policy:

• “mcl finance”, “we”, “us”, “our” refers to Merchant Finance London Limited and other associated entities within our group that may provide credit or servicing activities.
• We act as data controller when determining how and why your personal data is processed.

By applying for financing, acting as a guarantor, or engaging with us, you acknowledge that your personal data will be handled in accordance with this Privacy Policy.

2. Contact Details

Merchant Finance London Limited (trading as mcl finance) is a limited company registered in England and Wales under company number 11059045.

Our registered office address is B1 Vantage Business Park, Old Gloucester Road, Bristol, England, BS16 1GW.

We are registered with the Information Commissioner’s Office (ICO) in relation to the processing of personal information under registration number ZA342006.

mcl finance is a servicer of the loans and is not a direct lender. However, we act as a data controller in respect of the personal data we process in connection with servicing activities.

If you have any questions about this Privacy Policy or how we process your personal data, you can contact us at:

Email: privacy@mclfinance.com

Postal address: Merchant Finance London Limited, B1 Vantage Business Park, Old Gloucester Road, Bristol, BS16 1GW

Telephone: 020 3727 2572

You may raise concerns with the Information Commissioner’s Office (ICO) at www.ico.org.uk.

We would appreciate the chance to resolve your concerns first, so please contact us before approaching the ICO.

3. How We Use Your Personal Data

We will only process your personal data where permitted under data protection law. The most common lawful bases we rely on are:

• Contractual necessity – to consider your application, enter into a contract with you, and manage your facility.
• Legal obligations – such as anti-money laundering, fraud prevention, tax, financial regulation, and reporting.
• Legitimate interests – for activities necessary to operate and improve our business, provided these do not override your rights.
• Consent – only where we specifically request it (for example, biometric verification).

Below is an overview of how we may use your information:

Processing activity: Assessing eligibility, affordability, creditworthiness, fraud risk Lawful basis: Contractual necessity; legal obligations; legitimate interests

Processing activity: Conducting KYC and AML checks on directors, beneficial owners and guarantors Lawful basis: Legal obligations

Processing activity: Setting up, administering and managing your account or facility Lawful basis: Contractual necessity

Processing activity: Processing transactions, repayments and funding Lawful basis: Contractual necessity

Processing activity: Communicating with you via email, phone, SMS, WhatsApp or similar Lawful basis: Contractual necessity

Processing activity: Marketing our products and services (you may opt out at any time) Lawful basis: Legitimate interests

Processing activity: Using Credit Reference Agency (CRA) data Lawful basis: Contractual necessity; legitimate interests

Processing activity: Fraud prevention and identity verification Lawful basis: Legal obligations; legitimate interests

Processing activity: Handling complaints and operational queries Lawful basis: Legal obligations

Processing activity: Arrears management, including the use of third-party agents Lawful basis: Contractual necessity

Processing activity: Training, quality assurance and call recordings Lawful basis: Legitimate interests

Processing activity: Targeted advertising or audience definition Lawful basis: Legitimate interests

Processing activity: Biometric verification Lawful basis: Consent

If we ever need to use your data for a purpose not listed above, we will notify you before doing so.

4. Personal Data We Collect From Third Parties

We may receive information about you from the following sources:

• Credit Reference Agencies (CRAs) – including credit scores, repayment history, address history and financial associations.
• Fraud prevention agencies – including records of suspected or confirmed fraudulent activity.
• Brokers, partners or introducers – information provided to support your application.
• Directors, partners or guarantors – where someone else submits an application including your details.
• Your bank – where you link your account to provide transaction data.
• Public records – Companies House, the electoral roll and other publicly available sources.
• Marketing lead providers – where you have indicated interest in finance products.

We may also receive details of your business’s previous credit applications, account conduct, and similar financial information.

5. Credit Reference Agencies

When you apply for finance or act as a guarantor, we conduct credit and identity checks through one or more CRAs (typically CreditSafe and TransUnion).

To do so, we may supply information such as your name, date of birth and address history. The CRA will return information including:

• financial standing
• credit history
• public information
• fraud prevention indicators

We use this information to:

• assess your eligibility and affordability
• verify identity
• prevent crime, fraud and money laundering
• manage your account, including ongoing credit checks
• trace and recover debts
• improve our underwriting models

We will also report information about your repayment performance to CRAs. Missed or late payments may affect your credit rating.

For further information, please see the Credit Reference Agency Information Notices and Transparency Notices:

• TransUnion CRAIN
• CreditSafe Information Notice

These explain how CRAs share your personal data and your rights.

6. Fraud Prevention Agencies

We conduct fraud and anti-money-laundering checks before providing finance. This may involve processing personal data such as:

• name, address, contact details
• date of birth
• financial information
• employment information
• identity verification
• device identifiers and IP addresses

We share data with national fraud prevention bodies so they can help detect and prevent fraud, money laundering and criminal activity. These agencies may retain your data for up to six years.

If a fraud or money-laundering risk is identified, we may:

• refuse the financing requested
• withdraw an existing facility
• share that information with other financial institutions

This processing is required to comply with the law and to protect our business.

7. Who We Share Your Data With

We may share your personal data with:

• Credit Reference Agencies and fraud prevention agencies
• Servicing partners and outsourced processors that assist us with underwriting, KYC, collections, technology, hosting, email, data analytics and operational support
• Professional advisers including lawyers, auditors and consultants
• Payment processors and banking partners
• Brokers, introducers or referral partners, where they referred your application or where we report the outcome of the application
• Social media platforms, for controlled marketing or audience analytics
• Regulators, tax authorities and law enforcement agencies, where required by law
• Debt collectors, tracing agents, insolvency practitioners, and enforcement officers, where relevant
• Other lenders, where you request or consent to an introduction
• Group companies and investors, for portfolio reporting and servicing purposes

We will only share your data for the purposes described in this Privacy Policy or where you have provided consent.

8. International Transfers

Some of our technology and service providers may store or process your data outside the UK.

Where this occurs, we ensure that one of the following safeguards applies:

• the destination country has an adequacy decision;
• the provider uses Standard Contractual Clauses approved under the UK GDPR;
• the provider has Binding Corporate Rules;
• or other legally recognised safeguards.

Please contact us if you require further details on specific safeguards used.

9. Automated Decision-Making

We may use automated systems to help decide:

• whether to offer finance
• how much to lend
• at what price or risk tier

You may request:

• human review
• to challenge the decision
• further explanation of the logic used

You can do so by contacting us using the details above.

10. How Long We Retain Your Data

We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

• regulatory and legal retention periods
• audit requirements
• operational needs

We typically retain data for up to seven years after your account is closed or your application is withdrawn. In some cases, data may be retained longer where legally required.

11. Your Legal Rights

Under UK data protection law, you have the following rights:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent (where applicable)

You may exercise these rights by contacting us. We may ask for identification to ensure data is not disclosed to unauthorised individuals.

We aim to respond within one month. Complex or multiple requests may take longer, and we will keep you updated.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal requirements, regulatory changes or operational developments.

The most current version will always be available at mclfinance.com/privacy-policy.

13. Borrower Privacy Notice (Summary)

Where you apply for finance, your personal information may be shared with credit reference and fraud prevention agencies. They use it to support our credit decisions, prevent fraud and money laundering, verify identity, and assess your eligibility. If fraud is detected, you or associated parties may be refused certain services, finance or employment.

A full explanation of how your data is used is set out in this Privacy Policy, together with links to relevant CRA Information Notices. A paper copy can be provided upon request.