1. Introduction
Credvanta Recovery Group Limited (“Credvanta”) is committed to protecting the privacy, confidentiality, integrity and security of all personal data processed during the course of its business operations.
This Policy explains how Credvanta collects, processes, stores, shares, protects and retains personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and other applicable data protection legislation.
Credvanta recognises the importance of maintaining the trust of its Clients, Debtors, suppliers, business partners, employees and all other individuals whose personal information it processes.
This Policy applies to all personal information processed by Credvanta in connection with its commercial business-to-business (B2B) debt recovery activities and associated business operations.
Credvanta undertakes commercial business-to-business debt recovery activities only and does not undertake any regulated activity.
2. Scope
This Policy applies to all personal information processed by Credvanta including information relating to:
- Clients;
- Prospective Clients;
- Debtors;
- Company directors;
- Company officers;
- Shareholders;
- Partners;
- Sole traders where acting in the course of business;
- Guarantors;
- Authorised representatives;
- Employees;
- Contractors;
- Consultants;
- Suppliers;
- Professional advisers;
- Website users; and
- Any other individuals whose personal information is processed in connection with Credvanta’s business activities.
This Policy applies regardless of whether personal information is processed electronically, in paper format, verbally or by any other means.
All employees, directors, contractors, consultants and any person processing personal information on behalf of Credvanta are expected to comply with this Policy.
3. Data Controller
For the purposes of UK data protection legislation, Credvanta Recovery Group Limited is the Data Controller for the personal information processed in connection with its business activities.
Registered Office:
5 Canon Court
Institute Street
Bolton
BL1 1PZ
England
Operational Office:
Credvanta Recovery Group Limited
Suite 2/3
48 West George Street
Glasgow
G2 1BP
For all data protection enquiries, requests or concerns, please contact:
Legal Department
Email: Legal@credvanta.co.uk
Telephone: 0800 975 7066
4. Personal Information We Collect
Depending upon the nature of our relationship with an individual or organisation, Credvanta may collect and process information including:
Identity Information
- Full names;
- Job titles;
- Positions held;
- Dates of birth where reasonably necessary;
- Company registration details;
- Director, partner and officer information;
- Identity verification information where required.
Contact Information
- Business addresses;
- Correspondence addresses;
- Telephone numbers;
- Mobile numbers;
- Email addresses.
Financial & Commercial Information
- Invoice information;
- Outstanding balances;
- Payment history;
- Banking details where relevant;
- Payment arrangement information;
- Account references;
- Commercial agreements;
- Credit-related information where lawful.
Recovery Information
- Case notes;
- Recovery history;
- Communication records;
- Trace and locate information;
- Field visit records;
- Recovery outcomes;
- Legal referral records;
- Settlement records;
- Complaint records.
Payment Processing Information
Where payments are made through Credvanta’s authorised payment processing facilities, we may process:
- Transaction information;
- Payment references;
- Payment dates;
- Payment values;
- Payment method;
- Reconciliation records;
- Credit Notes;
- VAT Invoices;
- Net Recovery calculations;
- Client Money Account allocation records;
- Accounting records.
Technical Information
- IP addresses;
- Device identifiers;
- Browser information;
- Website usage information;
- Cookie information;
- Call recordings;
- SMS records;
- Email delivery records;
- Website security logs.
5. Lawful Basis for Processing
Credvanta processes personal information using one or more lawful bases under UK GDPR.
Contractual Necessity
Processing necessary for providing commercial debt recovery services, managing Client relationships, administering payment arrangements, receiving and administering debtor payments, reconciling recovered monies, issuing Credit Notes and VAT Invoices, and settling Net Recovery to Clients.
Legitimate Interests
Credvanta has legitimate interests in recovering commercial debts, protecting the interests of Clients, preventing fraud and financial crime, conducting trace and locate activity, maintaining accurate accounting records, managing commercial relationships, protecting staff, investigating complaints, maintaining business security and exercising legal rights.
Legal Obligations
Processing may also be necessary to comply with UK GDPR, the Data Protection Act 2018, anti-money laundering obligations where applicable, Court Orders, legal proceedings, HMRC requirements, accounting obligations and other applicable legal requirements.
Consent
Where consent is relied upon, individuals may withdraw consent at any time without affecting the lawfulness of processing undertaken before withdrawal.
6. How We Use Personal Information
Credvanta may process personal information for purposes including commercial debt recovery, Client onboarding, identity verification, contacting Clients and Debtors, managing recovery activity, managing payment arrangements, receiving debtor payments, administering payments, allocating payments, reconciling recovered monies, maintaining Client Money Account records, calculating Net Recovery, issuing Credit Notes and VAT Invoices, facilitating settlement to Clients, preventing fraud, detecting financial crime, conducting sanctions screening where appropriate, carrying out trace and locate activity, instructing trusted independent partner law firms where authorised, compliance monitoring, quality assurance, staff training, complaint handling, business administration, financial accounting, internal auditing, risk management, legal proceedings, exercising or defending legal rights and complying with legal and regulatory obligations.
Credvanta does not use payment information or recovery information for direct marketing purposes unless an individual has separately consented where consent is required.
7. Payment Processing & Client Money Administration
As part of its commercial business-to-business debt recovery services, Credvanta is authorised by its Clients to receive and administer debtor payments in accordance with the Service Agreement, Terms & Conditions and Client Service Acceptance & Authorisation.
Payments may be received using payment methods, merchant acquiring facilities and payment processing services operated or arranged by Credvanta.
Recovered monies are received into Credvanta’s undesignated Client Money Account solely for the purposes of:
- Receiving debtor payments;
- Identifying and allocating payments to the appropriate Client;
- Reconciling receipts received from payment providers and banking partners;
- Maintaining accounting and reconciliation records;
- Issuing Reconciliation Statements, Credit Notes and VAT Invoices;
- Calculating Net Recovery;
- Deducting commissions, agreed fees, disbursements, the minimum monthly usage fee where applicable and any other contractual sums due; and
- Facilitating onward settlement to Clients.
Credvanta receives and administers recovered monies solely in its capacity as the Client’s authorised commercial debt recovery and collection agent. Payment information may be processed for fraud prevention, financial crime prevention, reconciliation, accounting, audit, dispute resolution, complaint handling, legal proceedings and compliance purposes.
Credvanta maintains appropriate accounting records relating to all monies received, reconciled, deducted and remitted in accordance with its contractual arrangements and applicable legal obligations.
8. Data Sharing
Credvanta will only share personal information where there is a lawful basis to do so and where such sharing is reasonably necessary for the provision of our commercial debt recovery services, compliance with legal obligations, the protection of legitimate interests, or the exercise or defence of legal claims.
Depending upon the circumstances, personal information may be shared with Clients, Debtors and their authorised representatives where appropriate, payment processors, banking providers, merchant acquiring providers, trusted independent partner law firms, barristers and other professional advisers, court services, enforcement officers where lawfully authorised, tracing and locate agencies, identity verification providers, fraud prevention agencies, sanctions screening providers, credit reference agencies where lawful, CRM and case management software providers, cloud hosting providers, email and communications providers, telephone system providers, IT support providers, accountants, auditors, insurers, regulators, law enforcement agencies, HMRC, the ICO where appropriate and any other third party where disclosure is reasonably necessary for the recovery of a commercial debt, compliance with legal obligations, protection of legitimate interests or the administration of Credvanta’s business.
All third parties receiving personal information are expected to process such information securely and only for legitimate business purposes. Credvanta does not sell personal information.
9. International Data Transfers
Some of Credvanta’s service providers may process or store personal information outside the United Kingdom. This may include providers connected with Microsoft 365, Google Workspace, OpenAI, Twilio, cloud hosting providers, email providers, communication platforms and other software or technology providers used by Credvanta.
Where personal information is transferred internationally, Credvanta will take appropriate steps to ensure adequate safeguards are in place in accordance with UK GDPR and applicable data protection legislation. Such safeguards may include UK International Data Transfer Agreements (IDTAs), International Data Transfer Addendums, Adequacy Regulations, Standard Contractual Clauses where appropriate or other lawful transfer mechanisms.
10. Information Security
Credvanta is committed to protecting personal information through appropriate technical and organisational security measures.
These measures may include:
- Secure cloud infrastructure;
- Role-based access controls;
- Strong authentication procedures;
- Multi-factor authentication;
- Encryption where appropriate;
- Firewall protection;
- Anti-malware protection;
- Secure backup procedures;
- Audit logging;
- System monitoring;
- Vulnerability management;
- Secure disposal procedures; and
- Staff training and regular review of security controls.
Access to personal information is limited to those individuals who require it for legitimate business purposes. Whilst Credvanta takes reasonable steps to protect personal information, no electronic transmission or storage system can be guaranteed to be completely secure.
11. Data Retention
Credvanta retains personal information only for as long as reasonably necessary for the purposes for which it was collected and in accordance with applicable legal, contractual, accounting and regulatory obligations.
Unless a longer retention period is required or permitted by law, Credvanta may retain Client records, Debtor records, recovery files, payment records, accounting records, Client Money Account reconciliation records, Credit Notes, VAT Invoices, Reconciliation Statements, call recordings, email correspondence, SMS communications, complaint files, trace information, legal referral records, compliance records, audit records and other business records for a minimum period of six (6) years following the conclusion of the relevant matter or business relationship.
Information may be retained for longer where reasonably necessary in connection with court proceedings, legal claims, enforcement action, fraud prevention, financial crime investigations, insurance matters, regulatory investigations, tax or accounting requirements or other legal obligations.
At the end of the applicable retention period, personal information will be securely deleted, destroyed or anonymised where appropriate.
12. Individual Rights
Subject to applicable law, individuals may have rights including:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure in certain circumstances;
- The right to restrict processing;
- The right to object to processing;
- The right to data portability where applicable; and
- Rights relating to automated decision-making where applicable.
Requests should be submitted to:
Legal Department
Email: Legal@credvanta.co.uk
Credvanta may request reasonable evidence of identity before responding to any request. Credvanta will respond to requests within the timescales required by applicable data protection legislation. Credvanta reserves the right to refuse or limit requests where permitted by law, including where a request is manifestly unfounded, excessive, repetitive or where a statutory exemption applies.
13. Complaints
If you have any questions or concerns regarding the way Credvanta has processed your personal information, please contact:
Legal Department
Email: Legal@credvanta.co.uk
Telephone: 0800 975 7066
Credvanta will investigate all data protection complaints fairly, promptly and in accordance with its internal complaints procedures. If you remain dissatisfied following our response, you may have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Nothing within this Policy affects any statutory rights you may have under applicable data protection legislation.
14. Policy Review & Updates
Credvanta reserves the right to amend, update or replace this Data Protection & Privacy Policy at any time to reflect changes in legislation, regulatory guidance, case law, business operations, technology, security requirements, industry best practice or operational improvements.
The latest version of this Policy will always be made available upon request and, where applicable, published on Credvanta’s website. Continued use of Credvanta’s services following publication of an updated Policy shall constitute acknowledgement of the updated version to the extent permitted by applicable law.
15. Contact Details
For all data protection enquiries, subject access requests or privacy-related concerns, please contact:
Legal and Compliance Team
Credvanta Recovery Group Limited
Suite 2/3
48 West George Street
Glasgow
G2 1BP
Email: Legal@credvanta.co.uk
Telephone: 0800 975 7066
Credvanta Recovery Group Limited (Company No. 17251971) undertakes commercial business-to-business (B2B) debt recovery activity only. Credvanta does not undertake regulated consumer debt collection activity and is not authorised or regulated by the Financial Conduct Authority (FCA).