In the course of our business, Nucleus Commercial Finance (“Nucleus”) needs to collect and use certain personal data about living individuals, including past, present and prospective customers in order to run our business effectively and meet your customer requirements.
The General Data Protection Regulation and the UK’s Data Protection Act are important laws governing the processing, including the use or holding, of personal data. They also give you, the individual, certain rights and remedies in respect of that personal data.
Terms under data protection law which are used in this Policy are defined in it or in the Glossary at the end of it.
Nucleus has appointed a Data Protection Manager at a senior level with specific responsibility for day today matters of data protection, who acts as our contact point with the Information Commissioner’s Office (“ICO”). Please contact our Data Protection Manager, Simon Willmett, with any questions or concerns you may have about our use of personal data.
Postal address: Data Protection Manager, Nucleus Commercial Finance Limited, Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX.
Telephone number 0207 839 9442
Email address: firstname.lastname@example.org
Please read this Policy carefully to help you understand the approach we take to handling your personal data and the rights you have as an individual.
All personal information given to us through this website will only be held and used in accordance with this Policy, the Privacy and Electronic Communications (E.C. Directive) Regulations 2003 (as amended), the General Data Protection Regulation (EU) 2016/679 or “GDPR” and before 25 May 2018 the Data Protection Act 1998, together with replacement, amending or supplementary laws or regulations relating to the protection of personal data.
Nucleus operates as part of a group of companies (“the Group”) within the UK and overseas and this Policy provides privacy information about how the Group collectively uses personal data. The Group companies will use personal data for their own purposes and will also share personal data between them, in each case as data controllers. This Policy explains how Group companies based in the European Economic Area (“EEA”) use and share personal data, including with Group companies based outside the EEA.
The Group companies for the purposes of this Policy are:
Nucleus Commercial Holdings Limited Registered in England and Wales with company number 09646728 Registered address Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX
Nucleus Services Limited Registered in England and Wales with company number 09914635 Registered address Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX
Nucleus Commercial Finance Limited Registered in England and Wales with company number 07829566 Registered address Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX
Nucleus Commercial Finance1 Limited Registered in England and Wales with company number 08564200 Registered address Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX
Nucleus Property Finance Limited Registered in England and Wales with company number 09747438 Registered address Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX
Nucleus Property Finance2 Limited Registered in England and Wales with company number 10993690 Registered address Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX
Nucleus Business Cash Advance Limited Registered in England and Wales with company number 10546776 Registered address Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX
Nucleus Cash Flow Finance Limited Registered in England and Wales with company number 09990385 Registered address Mezzanine Floor, St Albans House, 57-59 Haymarket, London SW1Y 4QX
From time to time, we may add additional legal entities to the Group and we will update our Policy to identify them when this happens. New entities will form part of the Group for purposes of this Policy and they will deal with your personal data on the same basis as other members of the Group.
We share personal data on EU citizens with our contractor, Quantility Business Solution Private Limited (“Quantility”), a company incorporated in the Republic of India under corporate identification number U74999MH2016PTC280925, which provides administrative and other support to the Group companies. This Policy also provides privacy information for Quantility in relation to its processing of EU citizens’ personal data.
We use different methods to collect personal data from and about you, including:
We may collect, use, store and transfer different kinds of personal data about you. The personal data we collect will depend on the relationship you have with Nucleus.
If you are:
An employee of Nucleus, someone working with us under a contract for services, or someone who applies for employment or work with us, we will provide you with specific privacy information and ask for your consent to use your personal data. We will also collect the following information on you:
A business contact, including persons who supply us with goods (including hiring things to us) or services and any contacts at a company or other organisation which does so, and clients or prospective clients (including contacts at companies or other organisations) to whom we supply or may in future wish to supply our products and services, as well as the customers and debtors of our clients, we may collect the following types of data on you:
A person associated with a customer or debtor of one of our clients, whose data may be relevant to the business you or your organisation does with our client, with contracts entered into, debts incurred or to be incurred or historic business transactions between you/your organisation and our client, and for preventing fraud and setting credit limits and availability, we may collect the following types of data on you:
A person associated with a supplier or other creditor of one of our clients, whose data may be relevant to the business you or your organisation does with our client or their obligations to you or your organisation, with contracts entered into, debts incurred or to be incurred or historic business transactions between you/your organisation and our client, and for preventing fraud and making payments on behalf of our clients from any facility they may from time to time have with us:
If you are a director, officer, shareholder or proposed personal guarantor in relation to a facility with one of our clients, then ahead of entering into a customer agreement with you or with our client, we will as a matter of course undertake anti money-laundering checks and may conduct credit reference checks with third-party agencies. These checks are a crucial and necessary step Nucleus must undertake before we are able to enter into a contract with your organisation.
When CRAs receive a search request from Nucleus they may:
We will give details of all financial commitments of a client or prospective client to us or which we become aware of during our enquiries, and how those commitments are managed, to the CRAs. If you borrow and do not repay in full and on time, the CRAs will record the outstanding debt and, in some cases, the length of time that the debt remains outstanding; other organisations may see these updates and this may affect your ability to obtain credit in the future.
Any records shared with CRAs will remain on file for six years after your account is closed, whether any outstanding sums have been settled by you or following a default. The CRAs are responsible for data held on their files and you should contact them with concerns regarding any information they hold or may hold on you.
You can contact the CRAs currently operating in the UK. The information they hold may not be the same, so you may consider contacting them all. They will charge you a small statutory fee. They are:
If you fail to provide personal data
Where we need to collect personal data by law or under the terms of a contract we have with you, and you fail to provide that data when requested:
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for (or any purpose which is not incompatible with those purposes), including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will only use your personal data when the law allows us to. Most commonly, we will use, analyse and assess your personal data in the following circumstances:
In obtaining or storing information about you we may:
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
We do not use any fully automated decision-making process.
Note that we may process your personal data on more than one lawful basis, depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To assess and make decisions about prospective clients who may wish to obtain financial products and services from us||(a) Identity data (b) Contact data (c) Financial data (for credit purposes)||(a) Performance of a contract with you (b) Necessary for our legitimate interests in promoting or providing our products and services to you or your organisation (c) Your consent|
|To register you (or your employer or a person or entity to whom you provide services) as a new client.||(a) Identity data (b) Contact data (c) Financial data (for credit purposes)||(a) Performance of a contract with you (b) Necessary for our legitimate interests in promoting or providing our products and services to you or your organisation (c) Your consent|
|To fulfil our contractual obligations to a client, to you or your organisation or to enforce your or your organisation’s obligations to us or to our client, including to (a) Manage payments, fees and charges (b) Collect and recover money owed to us||(a) Identity data (b) Contact data (c) Financial data (d) Transaction data||(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)|
|To manage our relationship with you which will include: (a) Notifying you about changes to our terms or Policy (b) Contacting you about products or services we obtain from or provide to you or your employer||(a) Identity data (b) Contact data||(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how our products/services are used and received)|
|To administer and protect our business which may include: a) Financial risk assessment, preventing money laundering, fraud or other wrongdoing; b) Contacting credit reference agencies and making credit related decisions; c) Recovering monies and making payments to you and/ or your business.||(a) Identity data (b) Contact data||(a) Necessary for our legitimate interests (b) Necessary to comply with a legal obligation|
|To administer a contract for services or contract of employment between us – we will provide you with further information about this when we collect information from you and during the course of our relationship)||(a) Identity data (b) Contact data (c) Financial data||(a) Performance of a contract with you (b) Necessary for our legitimate interests (to administer the economic relationship between us) (c) Necessary to comply with a legal obligation (related to your work or workplace or our obligations under the law in relation to these)|
We will also use personal data about you for marketing purposes. Further information is set out in the Marketing section of the Policy, below.
We may have to share your personal data with the parties set out below for the purposes set out in the table above.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may from time to time wish to contact you via email, telephone, letter or SMS in order to keep you informed about products, goods or services which may be of interest to you and to provide news and information about our business and that of any business within our Group.
We may also provide you from time to time with information about products and services from selected third parties which may be of interest to you or your organisation.
Where we send electronic marketing to an individual subscriber (under the Privacy and Electronic Communications Regulations (“Privacy Regulations”)), Nucleus will only do so where we have received explicit consent from you to do so and for each separate method of electronic communication.
We are not required by law to obtain prior consent to send you marketing information if you have purchased products or services from us personally, or if we are contacting you at your organisation which is a “corporate subscriber” under the Privacy Regulations.
You always have the right to refuse direct marketing communications directed to you personally. Should you wish to do so, please contact our Data Protection Manager.
We may use your personal information and information about your computer (including, where available, your IP address, operating system and browser type) for market research and other marketing purposes such as announcements on our pricing, product launches, updates on the company, etc. We may also share your personal information with third parties for the purpose of conducting market research and running marketing campaigns. Third parties who process your personal data on our behalf are only permitted to do so in accordance with our instructions, which will have previously been agreed with yourself. We will take steps to ensure that the transfer and any on-going processing by those third parties is carried out securely and in accordance with applicable data protection and privacy laws and regulations. We also collect and retain:
Where you submit personal data to us using an online form, please ensure that you select the appropriate option on the form if you do not want your data to be used by us or selected third parties for marketing purposes. You can also notify us at any time if you do not wish your data to be used in this way. If you do not select the appropriate option, but wish to do so subsequently, please contact our Data Protection Manager so we can update our records.
We are part of a global Group of companies and, in order to support our business in the most efficient manner possible, we share infrastructure and functions across our business internationally. This means that we may transfer your personal data to, or your personal data may be accessible in, any location in which we do business.
If your information is transferred to or accessible in a country which is not considered by the European Community to provide adequate protection for your rights and freedoms in relation to the processing of personal data (such as the USA), we will take alternative steps (as permitted by the GDPR) to ensure your information is adequately protected and that those transfers comply with data protection law.
We may transfer your information to other countries, including those outside the European Economic Area, either for storage purposes or if we engage suppliers, sub-contractors or third-party data processors who are based or have operations overseas.
In particular, our Group companies may transfer any personal data they hold or obtain from time to time related to prospective clients to Quantility. Quantility acts as both a data processor and data controller (for different purposes) to help review and assess data on prospective clients provided by the Group companies. Data processed by Quantility may be used to help one or more Group companies determine whether they wish to do business with a prospective client and on what terms.
Our Group companies may also transfer to brokers and introducers personal data relating to prospective clients (as part of other data relating to them) to which they are or would be unable to offer facilities, to enable these brokers and introducers to identify and introduce alternative providers. These brokers and introducers will act as data controllers and some of these brokers may be located outside the EEA.
Each Group company that
You have the right to make a complaint about our use of your personal data at any time to the Information Commissioner's Office (“ICO”). The ICO is the UK’s supervisory authority for data protection issues (www.ico.org.uk).
If you do have a problem, question or concern about our use of your personal data, we would really appreciate the chance to try to help you before you approach the ICO, so please feel free to contact us in the first instance using the data protection compliance officer’s contact details above. You can contact us about data privacy issues in other ways, but if you contact the data protection compliance officer, that will make it much easier for us to help you.
You have the right to:
Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
When we receive such a request we will endeavour to provide you with these details without delay and at the latest within one month of receipt. We may extend the period of compliance by a further two months where requests are complex or numerous. In such instances Nucleus will inform you within one month of the receipt of the request and explain why the extension is necessary.
When Nucleus receives a subject access request we will provide a copy of the information held free of charge. Nucleus may charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that we will charge for all subsequent access requests rather that the Nucleus reserves the right to charge a fee based on the administrative cost of providing the information.
If the after reviewing a request the Data Protection Manager believes a request is manifestly unfounded or excessive, particularly if it is repetitive, then Nucleus may charge a ‘reasonable fee’ which will be decided on a case by case basis. In certain circumstances Nucleus may even refuse to respond to such requests.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. You can exercise your right to prevent such processing by refraining from ticking certain boxes on the forms we use to collect your data whether that is on this website of via any other means. Alternatively, you can also exercise the right at any time by contacting us at email@example.com
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
At Nucleus Commercial Finance we value your business and we want you to be entirely satisfied with the service you receive. If we make a mistake, or we fail to meet your expectations in some other way, we want the opportunity to put things right as quickly as we can. Furthermore, we will take steps, where appropriate, to prevent a recurrence.
Complaints can be raised by any channel at any time. Please follow one of the steps below when making your first contact:
By e-mail: You can e-mail firstname.lastname@example.org with details of your complaint.
Nucleus Commercial Finance
2 Gee’s Court, London
What to include: In order for us to help you the best way we can, we ask that you provide:
Our complaints process: We will acknowledge your complaint within 3 working days of receipt and inform you of the steps we are taking to investigate it, or when you can expect a final response.
We treat all complaints fairly and will aim to resolve your complaint as soon as possible within 5 working days.
Where the complaint or problem is complex, we may need longer to look into the issue and ask you for more information.
We will keep you updated on the progress of your complaint throughout the process and provide contact information for the complaint handler dealing with your case.
If we have been unable to resolve your complaint within 8 weeks, have not sent you a final response within 8 weeks, or you are unhappy with the outcome of your complaint, you can ask the Financial Ombudsman Service (“FOS”) to carry out an independent review.
The FOS can help with most complaints if you are:
The contact details for the Financial Ombudsman Service are:
The Financial Ombudsman Service, South Quay Plaza, 183 Marsh Wall, London E14 9SR
Telephone: 0845 080 1800
FOS consumer leaflet
Recording the Complaint
Please note that, in accordance with its regulatory obligations, Nucleus Commercial Finance will compile a report of each complaint. These records will be retained for no less than three years from the date the complaint was received.
Information that is transmitted via the internet is never completely secure.
We have put suitable protection in place, however any transmission of personal data to us via the internet is at your own risk.
Where necessary we use encryption to protect the integrity of data during submission.
We also employ similar technologies and access control methods to keep any stored data secure.
Any changes to this Policy will be posted here and will take immediate effect.
If you have any questions about this Policy or about our use of your personal details, then please contact the Data Protection Manager
“Personal data” means any information about an individual, held by a data controller, from which the controller can identify a specific, living person. It does not include data about a living person that the controller can’t identify.
Some personal data falls into “Special Categories” under the GDPR and are given greater protection. These include any personal data revealing your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and information about your health, as well as genetic and biometric data. Information about criminal convictions and offences is also treated differently from ordinary personal data under the GDPR.
There are a number of different lawful bases for processing your personal data under the GDPR. These include:
Legitimate Interest means the legitimate interests of Nucleus or of a third party, including in conducting a business, which must be balanced against the effect of the processing of personal data on individuals’ rights and freedoms.
In most cases where our legal basis for processing your personal data is a legitimate interest, this will be the legitimate interest of Nucleus, of members of its Group or our clients in conducting our and their business. In the case of Nucleus and its Group, this will be to provide financing in the most efficient and effective way we can. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests or those of others. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Protecting your vital interests applies where we would otherwise require your consent to use data, but you are physically or legally incapable of giving consent, and processing is to protect your interests – for example, to facilitate urgent medical treatment.
External Third Parties
These include our and our Group’s service providers, acting as data processors, based inside and outside the EEA who provide technical, financial, logistical, information technology, data storage or other support for our work.
Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, insolvency practitioners, and insurers based in the EEA and of it who provide consultancy, banking, legal, insurance and accounting services.
HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
Governments and public authorities in other countries where we carry out filming who require information on our crew and contributors.
To enhance your experience on our site, our web pages use "cookies" to distinguish you from other users. If you use this website, then you accept that we can use the cookies set out below.
1. Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
2. The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
3. Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.
4. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
5. We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
6. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
7. As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details above.
CONSEQUENCES OF PROCESSING
8. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.
9. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
10. Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
11. Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.
12. For more information or to exercise your data protection rights, please contact us using the contact details above.
13. You also have a right to complain to the Information Commissioner’s Office which regulates the processing of personal data.