This privacy notice describes how Credicorp Limited collects and processes personal data. Credicorp Limited is the data controller for the data described here. Our registered address is Suite AU31848, 9 Skyport Drive, Harmondsworth, West Drayton UB7 0LB; companies house number 16093826.
1. What we collect
- Identity: director's full name, date of birth, nationality, photo ID document.
- Contact: email, mobile telephone, home address (for the director, to verify identity).
- Financial: the company's UK business bank account sort code and account number, the company's credit file at our business credit reference agencies.
- Transactional: applications submitted, loans taken, payments made and missed.
- Operational: IP address, device type and browser at signup, audit logs of important actions.
2. Why we collect it
- To enter into and perform the Business Loan Agreement with the borrower company (legal basis: contract).
- To meet anti-money-laundering obligations under the Money Laundering Regulations 2017 (legal basis: legal obligation).
- To prevent and detect fraud (legal basis: legitimate interest).
- To send service and operational messages about your application and loan (legal basis: contract).
- To send marketing emails about Credicorp products (legal basis: consent, opt-in at signup; you can withdraw at any time).
3. Who we share it with
- Our servicing agent — CM Beyer Limited, a related company, operates this lending platform and services loans on our behalf, and may process your data as a processor acting on our written instructions.
- Business credit reference agencies — Experian Business, Creditsafe, Equifax Business. We share the company's identity and the fact and performance of the loan.
- Payment processor — for the Direct Debit collection of repayments.
- Companies House and HMRC — for company verification and tax reporting.
- Identity verification provider — to corroborate the photo ID and the director's address.
- Our regulators and law enforcement — when required by law.
We do not sell personal data to third parties for marketing.
4. How long we keep it
We keep loan records for seven years after the loan is settled (to meet FCA and HMRC regulatory requirements) and then delete them. Marketing-only data is deleted when you withdraw consent, or after 24 months of inactivity — whichever is sooner.
5. Your rights
Under UK GDPR you have the right to access, correct, port and (in limited circumstances) erase the personal data we hold about you. You also have the right to object to processing based on legitimate interest. To exercise any of these rights, email [email protected].
6. Complaints to the ICO
If you are not happy with how we have handled your data you can complain to the Information Commissioner's Office: ico.org.uk, 0303 123 1113.
ICO Registration No. ZC157682
7. Automated document checks and AI processing
When you upload a photo ID document (passport or driving licence) or a bank statement as part of your application, we run two automated checks:
- ID authenticity check: we send the uploaded document image to an AI provider (Anthropic, Inc., operating the Claude model) for an automated assessment of whether the document appears genuine. The model returns a signal (likely genuine / suspect / inconclusive) and a confidence score. Your image is transmitted over an encrypted connection.
- Bank statement parsing: we send uploaded bank statement PDFs or images to the same AI provider for extraction of transaction signals and an affordability signal. The model's output is used alongside Open Banking data as an input into the lending decision.
The signals from these checks are inputs into our automated decision engine. The AI decision is the lending decision: we do not run a routine human checkpoint over every application before it is approved or declined. The document-check processing is carried out under our legitimate interest in preventing fraud and meeting our anti-money-laundering obligations (Money Laundering Regulations 2017). The lending decision itself is automated processing necessary for the performance of the Business Loan Agreement with you, or for our legitimate interests in sound underwriting, and is subject to the safeguards described in our AI and automated decisions policy. Under UK GDPR Article 22 you can request human intervention, express your point of view, or contest any significant decision by writing to [email protected].
Anthropic acts as our data processor under a data-processing agreement. Document images are used solely for this assessment and are not used to train AI models. Retention of the scan results and extracted fields is set out in the data retention schedule.
ICO Registration No. ZC157682
Need help with your account? Visit our Help Centre or sign in at clients.credicorp.co.uk.