How We Handle Data

What We Process

The platform is built around corporate entities — companies registered at Companies House, parent groups, SPVs, and corporate borrowers. The primary data points in the system are company names and Companies House registration numbers. Company officer data sourced from the Companies House public register may be processed internally to identify corporate network structures, but is not shared between platform users or used as the basis for individual profiling.

The types of data the platform processes are:

• Company names and Companies House registration numbers
• Incorporation dates, registered office addresses, and company status
• Corporate group structures — parent companies and subsidiary SPV relationships
• Charge register data — lender name, charge date, charge type, and status
• HM Land Registry title and charge data for corporate proprietors
• Experian commercial credit scores and payment performance indices at company level
• Lender-submitted loan performance data (payment status, days late, facility reference)
• Anonymised credit decline records attributed to corporate entities

What We Do Not Share Between Users

The following categories of data are never shared between platform users, never displayed across lender boundaries, and never used for individual profiling:

• Individual officer or director names are never shared across lender boundaries or between platform users
• Dates of birth, nationalities, or residential addresses of any natural person
• Individual credit scores or consumer credit data
• Personal contact information of any kind
• HM Land Registry records where the registered proprietor is a natural person
• Experian director-linked fields or consumer data products

Where company officer data from the Companies House public register is processed internally to identify associated corporate structures, this processing is limited to establishing SPV relationships. Users see “associated SPVs” — not the underlying officer data that established the connection.

Our Data Sources

Companies House

We call Companies House open data APIs to retrieve company name, registration number, incorporation date, registered office, company status, corporate group structure, and the charge register. Company officer data from the public register may be used internally to identify associated corporate structures. This officer data is not shared between platform users or across lender boundaries, and is never used as the basis for individual profiling.

HM Land Registry

We retrieve title numbers, property addresses, corporate proprietor names, charge details, and price paid data. Records where the registered proprietor is a natural person (rather than a corporate entity) are automatically rejected and excluded from the database. Restriction free-text fields, lessee details naming natural persons, and caution or notice details referencing individuals are excluded.

Experian Commercial

We use Experian’s commercial credit product only — not consumer data. We ingest commercial credit scores, payment performance indices, CCJ counts and values at company level, insolvency indicators, and accounts filing status. Director names, director credit scores, director address history, and any consumer credit fields are excluded even where Experian’s commercial product includes them as linked fields.

Lender-Submitted Data

Participating lenders submit monthly portfolio data through the platform. Accepted fields are: SPV company name and number, parent company name and number, facility reference, payment status, payment date, days late, property address, title number, credit decision, and decline reason category. Submissions containing personal data — director or guarantor names, individual contact information, dates of birth, or personal credit details — are rejected by the system before processing.

Our Role as a Data Processor

Where participating lenders submit data to the platform on behalf of their borrowers or clients, TPCF may act as a data processor in relation to any personal data that those submissions inadvertently contain (for example, a personal guarantor’s contact information included in a free-text notes field). In such cases:

• TPCF processes such data only on the documented instructions of the submitting lender (the data controller);
• TPCF does not use any personal data received from lenders for its own purposes;
• TPCF ensures that persons authorised to process personal data are bound by appropriate confidentiality obligations;
• TPCF implements appropriate technical and organisational security measures;
• TPCF assists the data controller in responding to data subject rights requests where the personal data in question originated from their submission;
• On termination of the data processing relationship, TPCF deletes or returns all personal data at the controller’s election.

In practice, the platform’s ingestion architecture is designed to prevent personal data from entering the database in the first place. Personal data encountered at ingestion is rejected and logged rather than stored. TPCF’s role as data processor is therefore a legal backstop rather than a routine operational state.

If you are a participating lender and wish to enter into a formal Data Processing Agreement, please contact support@loan-intel.com or refer to our Data Processing Agreement.

Data Flows and Sub-Processors

The platform relies on a small number of carefully selected sub-processors to deliver its services. All sub-processors are bound by data processing agreements consistent with UK GDPR requirements. The following table sets out the key sub-processors and the nature of their involvement:

Where sub-processors are located outside the UK or EEA, TPCF relies on UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. Transfers are only made where TPCF has assessed the third country’s legal framework and is satisfied that an appropriate level of protection can be maintained.

TPCF reviews its sub-processor list at least annually and will notify participating lenders of any material changes to sub-processors that may affect the processing of their data.

Cross-Lender Intelligence and Anonymisation

The platform acts as a whistleblower for the sector, surfacing risk about corporate borrowers that no single lender could see in isolation — for example, that an SPV has late payment performance with other lenders in the network, or that a corporate group has been declined elsewhere.

This intelligence is anonymised at source. When a lender sees that an SPV has payment issues across the network, they see the signal — number of late payments, number of lenders — but not the identity of which lenders reported them. Each participating lender’s raw submission data is held in an isolated, encrypted partition. No lender can access another lender’s raw data.

Cross-relationship mapping — identifying which lenders share common corporate borrower networks — is performed using corporate entity linkage. Connection strength is expressed as a count. Individual names are not surfaced to platform users at any point in this analysis. Users see anonymised signals about associated SPVs, not the underlying data used to establish the connection.

Our GDPR Position

UK GDPR applies to the processing of personal data — information relating to an identified or identifiable natural person. The platform processes personal data of company officers (directors and persons of significant control) sourced from the Companies House public register for the purpose of identifying associated corporate structures. This data is processed under the legitimate interests lawful basis (Article 6(1)(f) UK GDPR), balancing the platform’s interest in providing corporate intelligence against the limited impact on individuals whose data is already publicly available on a statutory register.

The platform focuses on corporate entities (SPVs) where the companies typically have multiple directors, shareholders, and governance layers. Company officer data is used internally to map corporate networks but is not shared between platform users or across lender boundaries, and is never used as the basis for individual profiling.

This position is supported by a data-minimisation approach — officer data is used only to the extent necessary to identify associated corporate structures, not to build profiles of individual natural persons.

GDPR Rights — Account Holders

While the platform’s core data processing does not involve personal data, TPCF does process the personal data of registered users (account holders) as a data controller. This includes name, email address, job title, employer, login history, and usage data collected during platform operation.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of Access (Article 15): You may request a copy of the personal data we hold about you, together with information about how and why we process it.
• Right to Rectification (Article 16): You may ask us to correct any inaccurate or incomplete personal data we hold about you.
• Right to Erasure (Article 17): You may ask us to delete your personal data where it is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent. This right is subject to our legitimate interests and legal obligations.
• Right to Restrict Processing (Article 18): You may ask us to pause or restrict the processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): You may request a copy of your personal data in a structured, commonly used, machine-readable format for transfer to another controller.
• Right to Object (Article 21): You may object to processing of your personal data that is based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Rights related to automated decision-making: We do not make legally significant automated decisions about individuals. The platform’s health scores and analytics relate to corporate entities only.

To exercise any of these rights, please contact us in writing at support@loan-intel.com or by post to TP Commercial Finance Ltd, 5 Garrick Street, London, WC2E 9AR. We will respond to all verified requests within 30 days. There is no charge for exercising your rights. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

Technical and Organisational Security Measures

TPCF implements appropriate technical and organisational measures to protect all data processed through the platform against unauthorised access, loss, destruction, or disclosure. Key measures include:

• All data encrypted at rest using AES-256 encryption;
• All data encrypted in transit using TLS 1.2 or higher;
• Role-based access controls limiting platform access to authorised users only;
• Each lender’s raw submission data held in an isolated, encrypted partition;
• JWT-based authentication with token expiry and rotation;
• Regular security reviews and vulnerability assessments;
• Audit logging of all administrative access to platform data;
• UK-based data hosting (Hetzner data centres, GDPR-compliant).

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, TPCF will notify the ICO within 72 hours and affected data subjects without undue delay, in accordance with UK GDPR Article 33 and 34.

Data Retention

Account holder personal data is retained for the duration of the account and for a period of up to 6 years following account closure, to enable TPCF to comply with legal obligations, resolve disputes, and enforce contractual rights. After this period, personal data is securely deleted or anonymised.

Corporate entity data (loan book entries, payment records, decline records) that has been incorporated into aggregated, anonymised datasets will be retained indefinitely in anonymised form as part of the platform’s historical market intelligence. Individual loan book entries and payment records can be deleted by the submitting lender at any time from within the platform, subject to the aggregated data caveat above.

Related Policies & Documents

Contact

If you have questions about how this platform handles data, would like to exercise your data subject rights, or wish to discuss a Data Processing Agreement, please contact us:

For data protection complaints, you may also contact the Information Commissioner’s Office (ICO) at ico.org.uk or by phone on 0303 123 1113.