Santiago SME Finance provides merchant cash advance loans and term loans to corporate borrowers. In the business of appraising the risks and attraction of funding proposals, Santiago SME Finance collects and records information pertinent to the appraisal and due diligence of the loan application, the borrower and promoter.
Santiago SME Finance is a Data Controller within the meaning of the General Data Protection Regulations 697/2016/EU (“GDPR”) and applicable Irish data protection legislation (currently the Irish Data Protection Acts 1988 to 2018).
We will process any personal information provided to us, whether it be through our website (www.santiagosme.ie), in person, by any form, correspondence, telephone, email or by any other means, or otherwise held by us in relation to you in the manner set out in this policy.
What personal data do we collect and process?
We may collect, store, and process information provided by you via email, calls, KYC, information provided while submitting a loan application. The only other sources of personal data are from publicly available information from the Companies Registration Office and judgement searches.
The information is required to set up an account with Santiago SME Finance, in the due diligence process of assessing applications from current and prospective borrowers.
The data we collect varies upon the nature of your relationship with Santiago SME Finance and they can include the following:
- KYC Data: including name, date of birth, scanned copies of photo ID, utility bills.
- Contact Data: Personal contact details including current and previous addresses, telephone numbers, social media details, and personal/business email addresses.
- Company Data: including business name, CRO number; personal data, contact details and financial information about directors, partners, members, shareholders, beneficial owners and guarantors; judgements, financial statements, and other company information available on the CRO.
- Financial Data: including financial statements for the company, bank account details, open banking consent to have a read only access to your bank account transactions, credit rating information from Central Credit Register, and other banking information.
- System Data: including your activity on the system, information provided on the system including loans and other company information that was provided by you.
- Marketing Data: including your preferences in receiving marketing from us and your communication preferences.
How do we collect your data?
If you or a representative of your company engages with us, we may collect your data through the following two methods:
- Information provided by you and/or your representative directly to us;
- Information from outside sources to help us carry out our due diligence process;
Information provided by you and/or your representative directly to us:
- Information provided through our website;
- Information provided through our application and verification process;
- Information provided by you and/or your representative when communicating with us via emails, phone calls, social media;
In addition to the personal and financial information you submit or we collect, we may also collect information about your computer (including your IP address, operating system and browser type), your interaction with our system and our website.
Information from outside sources to help us carry out our due diligence process:
- Information and reports from Central Credit Register, High Court Searches, Bankruptcy register, fraud prevention agencies, insolvency practitioners;
- Commercial and Marketing databases; and
- Public records and any publicly available information sources.
Please note that if you provide information about other people, then you confirm that:
- By providing information about other people, that you have all relevant permissions to make all disclosures, act on their behalf and in relation to all individuals involved in a company, to allow us to make credit checks in respect of those people.
How do we use your data?
We collect, store, and use your personal data:
- To ascertain your borrowing needs;
- To inform you of any changes in our system and your account activity;
- To inform you of any changes to our products and services;
- To develop and improve our products, services, and business;
- To transfer money;
- To carry out mandatory and other credit and regulatory checks;
- To comply with our legal and regulatory obligations;
- To perform credit analysis and to determine credit-riskiness of your application;
- For market research, analysis and, testing;
- To contact you (via email) with products and services that we think may interest you;
- To open accounts with us and to manage and maintain those accounts;
- To open a new settlement account with our Payments Partner;
- To update the records we hold about you;
- To verify your identity and the other information you have provided to us, including your bank account;
- For the prevention and detection of fraud and other illegal or criminal activity;
- To contact you for recovering debts or enforcing a loan contract;
- To fulfil present and future regulatory and tax requirements;
Who will your information be shared with?
In the completion of any facilities, it will be necessary to share your personal information with third parties in a variety of circumstances:
- To companies in our group and our affiliates;
- To assess your credit risk with a third-party credit reference agency such as Search4less which is GDPR compliant;
- IT and CRM systems including Salesforce;
- To our Payments Partner, NoFrixion, to create a settlement account;
- To our E-Signature Partner for signing documents;
- With guarantors and joint borrowers;
- Credit Checks via CCR;
- If we are required to do so by applicable law and regulation, governmental, tax or regulatory body or law enforcement agency;
- Uploading loan information to the Central Credit Register;
How long will the information be stored and used for?
We will only retain your personal data and information for as long as necessary to fulfil the purpose(s) for which it is obtained, considering any legal/contractual, accounting, or reporting obligations to keep it.
We consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements to determine the appropriate retention period for personal data.
By law we have to keep basic information about our customers (including Contact, Identity, Financial, and System Data) for six years after they cease being customers for tax purposes. In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
We will retain and securely destroy your personal information in accordance with applicable laws and regulations.
Your rights relating to personal data
You have the following rights under the GDPR, in certain circumstances and subject to certain exemptions, in relation your personal data:
- Right to access the data: You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
- Right to rectification: You have the right to request that any inaccurate data that is held about is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
- Right to erasure: You have the right to request us to delete personal data that we hold about you. This is sometimes referred toas the right to be forgotten.
- Right to restriction of processing or to object to processing: You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
- Right to data portability: You have the right to request us to provide you, or a third party, with a copy of your personal data in structured, commonly used machine-readable format.
Transfers of data outside the European Economic Area
We will not transfer any data outside of the European Economic Area, unless specifically requested to do so by you, depending on the circumstances of your transactions.
If we do transfer personal data outside of the EEA, Santiago SME Finance will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of the following safeguards:
- Transfer to a non-EEA country whose privacy legislation ensures an adequate level of protection of personal data to the EEA one (in terms of GDPR requirements);
- Put in place a contract with the foreign third-party that means they must protect personal data to the same standards as the EEA (to the same standards as GDPR);
- Transfer personal data to organisations that are part of specific agreements on cross-border data transfers with the European Union (e.g., corporate rules, privacy shield, etc.); or
- Complying with any guidance and or practice directives issued by the Irish Data Protection Commission.
We will take reasonable steps to ensure that your information is kept secure and protected, including but not limited to electronic data being protected using appropriate software, relevant network safety and security checks, and any computers or devices that can access data are encrypted. We do store some personal data in physical forms, and they are kept in an appropriately secure environment that includes:
- Secure HTTP connection (HTTPS) which encrypts data between clients and servers;
- Database Backups (within the EU);
- Restrictions in the upload file types.
Security and other Third Parties
Santiago SME Finance takes appropriate technical and organisational measures to safeguard the personal data that you provide to us, but we accept no liability if communications are intercepted by third parties or incorrectly delivered or not delivered.
If we transfer your information to third parties, we will take steps to ensure that the transfer and any on-going processing by those third parties is carried out securely and in accordance with applicable privacy laws.
You also have a responsibility to ensure that your information is kept secure. If you are an account holder with our system, you must:
- Keep your login details secret;
- Log out of your account when not using it;
- Maintain good internet security (Careful using public Wi-Fi or shared access internet connections, use a VPN where applicable etc.); and
- Notify us immediately if you think your account is compromised.
Updates to this notice
We may make changes to this notice from time to time, particularly when we change how we use your information, and change our technology and products., You can always find an up-to-date version of this notice here or you can ask us for a copy.