Commercial Expert Ltd is committed to protecting and respecting your privacy.
Commercial Expert Ltd and what we do
‘To be a nationally known, well respected and transparent commercial finance advisory firm.
With a unique system process, satisfied clients and well paid, supportive staff.’
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting our websites, you are accepting and consenting to the practices described in this policy.
We operate under the Data Protection Act 2018 (‘DPA’) and the European General Data Protection Regulation (‘GDPR’).
For the purpose of the GDPR and DPA, the data controller is:
Commercial Expert Ltd
24a, Parsons Court,
Newton Aycliffe Business Park,
The DPA and GDPR apply to ‘personal data’ we process, and the data protection principles set out the main responsibilities we are responsible for.
We must ensure that personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and where necessary kept up to date
- Kept for no longer than is necessary for the purposes for which the personal data are processed. We operate a data retention policy that ensures we meet this obligation. We only retain personal data for the purposes for which it was collected and for a reasonable period thereafter where there is a legitimate business need or legal obligation to do so. For detail of our current retention policy contact our privacy officer at email@example.com.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures
- To meet our Data Protection obligations, we have established comprehensive and proportionate governance measures.
We ensure data protection compliance across the organisation through:
- Implementing appropriate technical and organisational measures including internal data protection policies, staff training, internal audits of processing activities, and reviews of internal HR policies
- Maintaining relevant documentation on processing activities
- Implementing measures that meet the principles of data protection by design and data protection by default including data minimisation, pseudonymisation, transparency, deploying the most up-to-date data security protocols and using data protection impact assessments across our organisation and in any third party arrangements
The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:
- Identity data includes first name, maiden name, last name, title.
- Contact data includes email address and telephone numbers.
- Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Usage data includes information about how you use our website and services.
- Marketing and communications data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
How is your personal data collected?
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity, and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- complete our enquiry form on our website,
- contact us by telephone or email to seek a quote; and
- when you instruct us to provide services for you by telephone or email and you become our client.
- Third parties or publicly available sources. We may receive personal data about you from various third parties including Technical Data from analytics providers such as Google based outside the EU.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract, we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
Purposes for which we will use your personal data
We have set out below a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below. We do not process your data for automated decision-making or profiling purposes.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
To register you as a new client and prepare and witness appropriate loan documentation on behalf of a Funder
|(a) Identity (b) Contact (d) Serviceability Data (e) Introducer Data (f) Sensitive||(a) Performance of a contract with you (b) (c) When you have explicitly consented to us doing so in our Data Protection and Use of Data consent form|
|To process and deliver our service including:
(a) Manage lending quotes, payments, fees and charges
(b) Collect and recover money owed to us
(a) Performance of a contract with you, including providing you with your indicative terms and letter of suitability
(b) Necessary for our legitimate interests (to recover debts due to us)
When you are a referral, to provide you with information about our service
(a) Identity (b) Contact (c) Financial
(a) Necessary for our legitimate interests and the third party that refers you to us
To provide you with appropriate lending streams according to your financial circumstances including:
(a) Sharing categories of personal and sensitive data with prospective Funders
(b) Undertaking credit reference searches
(c) When you are referred to us, sharing details of our advice to your original referrer
(a) Identity (b) Contact (c) Financial (d) Serviceability Data (e) Introducer Data
(a) Performance of a contract with you
(b) Necessary for our legitimate interests and that of Funders (to ensure Funders are provided with the necessary and appropriate information about you and your circumstances to make an informed decision before offering their lending service)
(c) When processing sensitive data, only when we have your express consent
To manage our relationship with you which will include:
(b) Asking you to leave a review or take a survey
(a) Identity (b) Contact (i) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how clients use our products/services)
To enable you to partake in a prize draw, competition or complete a survey
(a) Identity (b) Contact (h) Usage (i) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how clients use our products/services, to develop them and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Identity (b) Contact (g) Technical
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
(a) Identity (b) Contact (g) Technical (h) Usage (i) Marketing and Communications
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
(g) Technical (h) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you
(a) Identity (b) Contact (g) Technical (h) Usage
Necessary for our legitimate interests (to develop our products/services and grow our business)
Disclosure of your information
We may have to share your personal data with the parties set out below for the purposes set out in the table above.
- Internal Third Parties as set out in the ‘Glossary’.
- External Third Parties as set out in the ‘Glossary’.
- Specific third parties such as Credit Agencies, HM Land Registry
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may share your information with selected third parties including:
- Business partners, suppliers, and sub-contractors for the performance of any contract we enter into with [them or] you, including without limitation any data processor we engage.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
We may disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
Where we store your personal data
All information you provide to us is stored on our secure servers. Any payment transfers will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site: any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try and prevent unauthorised access.
Retention of your data
We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. When you leave us as a client, we shall agree a data retention period with you and after expiry of this period, your personal data shall be deleted.
You have the right to ask us not to process your personal data for marketing purposes. We will inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting the MD at firstname.lastname@example.org.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers, and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Under the GDPR You have the following specific rights in respect of the personal data we process:
- The right to be informed about how we use personal data – This Privacy Statement explains who we are; the purposes for which we process personal data and our legitimate interests in so doing; the categories of data we process; third party disclosures; and details of any transfers of personal data outside the UK
- The right of access to the personal data we hold. In most cases this will be free of charge and must be provided within one month of receipt
- The right to rectification where data are inaccurate or incomplete. In such cases we shall make any amendments or additions within one month of your request
- The right to erasure of personal data, but only in very specific circumstances, typically where the personal data are no longer necessary in relation to the purpose for which it was originally collected or processed; or, in certain cases where we have relied on consent to process the data, when that consent is withdrawn and there is no other legitimate reason for continuing to process that data; or when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The right to restrict processing, for example while we are reviewing the accuracy or completeness of data or deciding on whether any request for erasure is valid. In such cases we shall continue to store the data, but not further process it until such time as we have resolved the issue.
- The right to data portability which, subject to a number of qualifying conditions, allows individuals to obtain and reuse their personal data for their own purposes across different services
- The right to object in cases where processing is based on legitimate interests, where our requirement to process the data is overridden by the rights of the individual concerned; or for the purposes of direct marketing (including profiling); or for processing for purposes of scientific / historical research and statistics, unless this is for necessary for the performance of a public interest task
- Rights in relation to automated decision making and profiling
Please contact our data protection officer at email@example.com for more information about the GDPR and your rights under Data Protection law.
If you have a complaint about data protection at Commercial Expert Ltd, please contact our data protection officer at firstname.lastname@example.org. Alternatively you may get in touch with our supervisory authority for data protection compliance at: www.ico.org.uk:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Cookies are pieces of information that a website transfers to your computer’s hard disk for record-keeping purposes. Cookies can make the internet more useful by storing information about your preferences on a particular site, such as your personal preference pages.
Policy last updated: 21/08/2023
Signed off by: MC
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to
Express consent means processing your data only when we have your express consent to do so, in accordance with our Data Protection and Use of Data consent form.
Internal Third Parties
IT Services only.
External Third Parties
Professional advisers including lawyers (this includes Solicitors to whom you authorise payment of funding with), bankers, auditors and insurers based within the UK, who provide consultancy, banking, legal, insurance and accounting services.
HM Revenue & Customs, Financial Conduct Authority and other regulators and authorities based in the UK, who require reporting of processing activities in certain circumstances.
Third parties that have referred you to us to tend our brokering services and third-party Funders.