Privacy policy

Our contact details

Name: multifi

Address: Windsor House, Bayshill Road, Gloucestershire, GL50 3AT

Phone Number: +44 0330 113 0669

E-mail info@multifi.co.uk

The type of personal information we collect

We currently collect and process the following information:

  • Name and contact details
  • Identification in the form of passport/or drivers’ licence/and utility bill/ or bank statement (within last 3 months)

 

Lawful bases under GDPR

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:

  • We have a contractual obligation.
  • Legal obligation: the processing is necessary for you to comply with the Anti-Financial crime laws and Regulations.

 

How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you for the following reasons:

  • To provide a revolving credit facility to pay for any goods or services, in respect of platform signatories and admin users as well as directors and shareholders with a holding of 25% or more.

We also receive personal information indirectly, from the following sources in the following scenarios:

  • Referrers who work on our behalf to provide you with the revolving credit facility will forward your personal data to us.
  • We use the personal data that you have given us in order to obtain further information for the purposes of credit scoring, anti-money laundering and fraud checks through the following ways:

 

Credit Reference Agencies

You understand that when we assess any credit application, including any future request for new or increased facilities, we will use the information (including information about the conduct of any existing facility) for credit assessment, which may include credit scoring.

We may make any enquiries relating to you and the business, that we consider necessary (for example, from another financial institution) and search the files of credit reference agencies at your home and business address, who will keep a record of each search. The credit reference agencies will supply both public (including the electoral register) and shared credit and fraud prevention information. This could affect your ability to get credit elsewhere within a short period of time. If you are a director, we will seek confirmation from credit reference agencies that the residential address that you provide is the same as that shown on the restricted register of directors’ usual addresses at Companies House. Details about any applications (whether or not they go ahead) will be recorded at the credit reference agency, including information on the business and its proprietors, and credit reference agencies may create a record of the name and address of your business and its proprietors if there is not one already. A financial link between joint applicants or between you and any named business partner or individual will be created at the credit reference agency. This will link your financial records (including records of any previous and subsequent names), where each will be taken into account in all future applications by either or both of you. If an association linking your financial records with those of any other person already exists at the credit reference agency, any applications will be assessed with reference to these associated records. This situation will continue until one of you successfully files a ‘disassociation’ at the credit reference agency. We will also pass details about you, the business and the conduct of your account (if this application is successful) to credit reference agencies. You understand that this will include any failure to make agreed payments, and that this information may affect your ability to get credit.

multifi are members of the Equifax credit data sharing arrangement. Each organisation that shares financial data with Equifax is also entitled to receive similar kinds of financial data contributed by other organisations. These organisations are typically banks, building societies, and other lenders, as well as other credit providers like utilities companies and mobile phone providers.

In the event a customer enters a Default event, after 30 days, multifi would report this to Equifax under the credit data sharing arrangement.

 

Verifying your identity and fraud checks

Before we can approve a facility for you, we and other organisations may search and use the records held by credit reference and fraud prevention agencies to prevent and investigate crime, fraud and money laundering, in order to prevent or detect fraud. We may make searches at credit reference agencies who will supply us with information, including information from the electoral register, for the purposes of:

  • to check details on applications for credit facilities
  • to verify your identity
  • to manage credit and credit related facilities
  • to recover debt and trace your whereabouts

 

Scoring methods may be used to verify your identity. A record of this process will be kept that may be used to help other companies to verify your identity. If false or inaccurate information is provided and fraud identified, details will be passed to fraud prevention agencies. Law enforcement agencies may access and use this information.

 

Processor / Controller

multifi are both the Processor and Controller of your personal data. In circumstances where we process information on behalf of another business, this will entitle the third parties as listed, to be Controllers of your information. Please refer to Schedule 1 below for details of the Processor and Controllers rights between multifi and our third parties. The main third-party who will have access to your personal data will be multifi’s lenders, however we may share this information with the following relevant third parties:

  • multifi’s platform lenders
  • multifi’s funders
  • multifi’s accountants and auditors
  • Platform and other IT software providers
  • legal and financial advisors including, where appropriate, debt recovery providers
  • payment service providers
  • identity verification providers

 

Any third parties that we may share your data with are obliged to keep your details secure, and to use them only to support the fulfilment of the service we provide to you. When they no longer need your data to fulfil this service, they will dispose of the details in line with multifi’s procedures.

 

Full details of the third-party service providers we use are available from our Data Protection Officer on request.

 

How we store your personal information

Your information is securely stored on our Platform and on our MS SharePoint system, as well as laptops our employees use.

We keep your personal data for 6 years if a contract is entered into. Details of our record retention schedule is available on request from our Data Protection Officer.

Our Chief Technology Officer is responsible for the monitoring and disposal of your information on each the Platform and IT software belonging to the Company.

 

Your data protection rights

Under data protection law, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information.

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances where we have not entered into a formal contract with you

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at Info@multifi.co.uk if you wish to make a request.

 

We may update this privacy notice from time to time in order to reflect changes in our data processing practices, legal obligations, or best practices. We encourage you to review this privacy notice periodically to stay informed about how we handle and protect your personal data.

When we make a material change to this privacy notice, we will notify you either through a prominent notice on or website, by sending you an e-mail, or by any other appropriate means.
By continuing to use our service or providing personal data after any changes to this privacy notice, you acknowledge and agree to the updated terms.

 

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at Info@multifi.co,uk or call us on +44 0330 113 0669

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:           

Information Commissioner’s Office

Wycliffe House

Water Lane, Wilmslow,

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

 

SCHEDULE 1

Data privacy- Controller / Processor obligations

  • In connection with the provision of the Services under this Agreement, the Company requires certain information relating to Customers which will include personal data which it will provide to the Recipient. For the purposes of this agreement and pursuant to Article 28 (3) of GDPR, the Processor in this instance is the Company and the Controller is the Recipient.
  • The Company shall process personal data for directors and beneficial owners of businesses that it extends credit to.
  • The processing duration will be 24 months. The Company will provide the Recipient’s information required in a timely manner. Upon post contract termination, the Company will retain the personal data for a period of 6 years.
  • Under the obligations and rights specified by Article 28 (3) GDPR, this agreement stipulates, in particular, that the Company:
    • processes the personal data only on documented instructions from the Recipient, unless required to do so otherwise by UK law; An instruction can be documented by using any written form, including email. The instruction must be capable of being saved, so that there is a record of the Recipient having control of what happens to personal data. If the Company acts outside of the Recipient’s instructions in such a way that it decides the purpose and means of processing, including to comply with a statutory obligation, then it will be considered to be a controller in respect of that processing and will have the same liability as a controller.
    • ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; the Company must obtain a commitment of confidentiality from anyone it allows to process the personal data unless that person is already under such a duty by statute. This covers all of the Company’s employees as well as any temporary workers and agency workers who have access to the personal data.
    • takes all measures required pursuant to Article 32, the Security of Processing. The Company is obliged to take all security measures necessary to meet the requirements of Article 32 on the security of processing. Both the Recipient and the Company as controllers and processors are obliged under Article 32 to put in place appropriate technical and organisational measures to ensure the security of any personal data, they process which will include:
      • encryption and pseudonymisation;
      • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      • the ability to restore access to personal data in the event of an incident; and
      • processes for regularly testing and assessing the effectiveness of the measures.
    • Adherence to an approved code of conduct or certification scheme may be used as a way of demonstrating compliance with security obligations.
    • Codes of conduct and certification may also help processors to demonstrate sufficient guarantees that their processing will comply with the UK GDPR. Further guidance on Security is provided here at the ICO.
      • respects the conditions referred to in paragraphs 2 and 4, for engaging another processor; under Article 28(3)(d):
      • the Company should not engage another processor (a sub-processor) without the Recipient’s prior specific or general written authorisation;
      • if a sub-processor is employed under the controller’s general written authorisation, the Company should let the Recipient know of any intended changes and give the Recipient a chance to object to them;
      • if the Company employs a sub-processor, it must put a contract in place imposing the same Article 28(3) data protection obligations on that sub-processor. This should include that the sub-processor will provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the UK GDPR’s requirements. The wording of these obligations do not need to exactly mirror those set out in this agreement between the Recipient and the Company, but should offer an equivalent level of protection for the personal data; and
      • the Company is liable to the Recipient for a sub-processor’s compliance with its data protection obligations.
    • taking into account the nature of the processing, assist the Recipient by providing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Recipient’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III; the Company to take “appropriate technical and organisational measures” to help the Recipient respond to requests from individuals to exercise their rights.
    • This provision stems from Chapter III of the UK GDPR, which describes how the Recipient must enable data subjects to exercise various rights and respond to requests to do so, such as subject access requests, requests for the rectification or erasure of personal data, and objections to processing. The Company will work to provide these services on behalf of the Recipient. For more information, please read the ICO’s guidance on individuals’ rights.
    • assists the Recipient in ensuring compliance with the obligations pursuant to Articles 32to 36 taking into account the nature of processing and the information available to the Company; Under Article 28(3)(f) taking into account the nature of the processing and the information available, the Company must assist the Recipient in meeting its obligations to:
      • keep personal data secure;
      • notify personal data breaches to the ICO;
      • notify personal data breaches to data subjects;
      • carry out data protection impact assessments (DPIAs) when required; and;
      • consult ICO where a DPIA indicates there is a high risk that cannot be mitigated.
    • at the choice of the Recipient;
      • deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies of the personal data;
      • delete existing copies of the personal data unless UK law requires it to be stored.
      • deletion of personal data is carried out in a secure manner, in accordance with the security requirements of Article 32.
      • The above ensures continuing protection of personal data after the contract ends. This reflects the fact that it is the Recipient to decide what should happen to the personal data being processed by the Company, once processing is complete. The retention of 6 years is deemed appropriate for personal data and the data is subsequently deleted on the Company’s next deletion/destruction cycle.
    • makes available to the Recipient all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The Company shall immediately inform the Recipient if, in its opinion, an instruction infringes Article 28 (3) GDPR.