Privacy Policy
V1.0 - 3 September 2025
Introduction
This Privacy Policy explains how Shuffle Finance Limited (“Shuffle Finance”, "Shuffle", “we”, “us”, or “our”) collects, uses, shares, and protects personal data in connection with our business lending services. It applies to:
Businesses who apply for, or use, our lending services;
Principals of businesses (such as directors, shareholders, partners, beneficial owners, guarantors, and authorised signatories); and
Other individuals whose personal data we may process in connection with providing our services (for example, employees, contractors, suppliers, or referees).
This policy is intended to give you clear and transparent information about:
The types of personal data we may collect;
The purposes for which we use your personal data;
The lawful bases on which we process your personal data;
How we share, secure, and retain personal data; and
The rights you have under data protection law.
This policy applies specifically to Shuffle Finance’s lending services to businesses. If you use Shuffle Finance’s consumer-facing services, please refer to our Consumer Privacy Policy available at https://getshuffle.co.uk/privacy-policy.
Data Controller
Shuffle Finance Limited is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in relation to the processing described in this policy.
Our registered details are: Shuffle Finance Limited trading as Shuffle, registered in England at 27 Old Gloucester Street, London, England, WC1N 3AX with company number 14928295.
If you have any questions about this Privacy Policy, or how we process your personal data, you can contact us at: help@shuffle.finance
Depending on the nature of your enquiry, we may also appoint a Data Protection Officer (DPO) or a dedicated contact for data protection queries. Details will be kept up to date on our website.
Types of Personal Data We Collect
In order to assess applications, provide lending services, and comply with our legal and regulatory obligations, we may collect and process the following categories of personal data:
A. Information you provide directly
When you or your business applies for finance, or otherwise communicates with us, you may provide:
Business details: legal name, trading name, registered and trading addresses, company registration number, VAT number, business bank account details.
Principal details: full name, date of birth, nationality, home address, contact details (telephone, email), role/relationship with the business.
Identity documents: copies of passports, driving licences, proof of address, or similar identification for KYC/AML purposes.
Financial information: management accounts, bank statements, tax returns, credit history, guarantor details.
Application information: details provided on loan applications, supporting documents, and correspondence with us.
B. Information we collect automatically
When you interact with our website, portals, or communications, we may collect:
Technical data: IP address, browser type, device identifiers, operating system, and login data.
Usage data: how you access and use our digital services, including cookies and analytics information (see our Cookie Policy for details).
C. Information from third parties
We may receive personal data about you or your business from external sources, including:
Credit reference agencies (for business and individual creditworthiness checks).
Fraud prevention agencies.
Publicly available registers and databases (e.g. Companies House, electoral roll, sanctions lists).
Commercial partners, brokers, or introducers who refer you to us.
Third-party service providers that assist with underwriting, risk assessment, and compliance.
D. Special categories of personal data
In general, we do not actively seek to collect special category data (such as health data, religious beliefs, or biometric data). However, in limited cases, we may process such information where it is relevant to a lending application (for example, information contained in identification documents, or disclosures you make voluntarily). We will only process such data where permitted by law and with appropriate safeguards in place.
How We Collect Your Data
We collect personal data about you and your business from a variety of sources, including:
Direct interactions – when you apply for finance, complete forms, provide documents, or communicate with us by phone, email, post, or via our website or portals.
Automated technologies – when you interact with our website, emails, or digital platforms, we may collect technical and usage data through cookies and other tracking technologies (see our Cookie Policy).
Introducers and partners – when brokers, financial advisers, or other commercial partners refer you to us.
Credit and fraud prevention agencies – when we carry out background, creditworthiness, and identity verification checks.
Publicly available sources – such as Companies House, the electoral roll, sanctions databases, or other regulatory registers.
Third-party service providers – where they support us in delivering our lending services (for example, for underwriting, risk assessment, compliance, or legal checks).
This combination of sources helps us to build a complete picture of your business and its principals to assess applications, meet legal obligations, and provide our services responsibly.
Legal Basis for Processing
Under the UK GDPR and the Data Protection Act 2018, we must identify a lawful basis each time we process personal data. The lawful bases we rely on are:
a) Performance of a contract
We process personal data where it is necessary to take steps at your request prior to entering into a contract, or to perform our obligations under an agreement with your business.
This includes:
Assessing finance applications and conducting credit and risk checks;
Preparing loan agreements and related documentation;
Managing accounts, payments, and collections;
Communicating with you in relation to your application or account.
b) Compliance with legal and regulatory obligations
We are legally required to process certain data in order to comply with UK laws and regulations, particularly in the financial services sector.
This includes:
Carrying out identity verification and due diligence (KYC checks);
Monitoring transactions for money laundering, fraud, and other financial crime;
Complying with tax, accounting, and reporting obligations;
Responding to requests from regulators, law enforcement, or courts.
c) Legitimate interests
We may process personal data where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms.
Our legitimate interests include:
Protecting and managing our business, assets, and systems;
Improving our services and customer experience;
Conducting business analysis, risk management, and forecasting;
Marketing our products and services to businesses (subject to your right to opt out);
Establishing, exercising, or defending legal claims.
Where we rely on this basis, we balance our interests against your rights to ensure fairness and transparency.
d) Consent
In some cases, we will ask for your explicit consent before processing your data. For example:
To access certain third-party data (e.g. from your accounting software or open banking feeds);
To send you direct marketing communications by email, SMS, or phone where consent is required under the Privacy and Electronic Communications Regulations (PECR).
You can withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing carried out before consent was withdrawn.
e) Vital interests
In rare circumstances, we may process personal data to protect someone’s life or physical safety. This is an exceptional basis and would only be relied upon if no other lawful basis were available.
How We Use Your Data
We use the personal data we collect for the following purposes. For each purpose, we identify the lawful basis that allows us to process the data:
Purpose of Processing |
|---|
Lawful Basis |
|---|
Examples of what this involves |
Assessing applications
Performance of a contract (to assess your application) and Legitimate interests (to manage credit risk)
Verifying identity, evaluation business performance,
conducting credit checks
Providing lending services
Setting up accounts, issuing funds,
managing repayments, handling enquiries
Risk management and fraud prevention
Legal obligation (AML and financial crime laws) and Legitimate interests (protecting our business and customers)
Detecting, investigating, and preventing fraud,
money laundering, and financial crime
Compliance with legal and regulatory obligation
Legal obligation
Fulfilling reporting duties to HMRC, regulators,
or law enforcement; record-keeping
Customer relationship management
Performance of a contract and Legitimate interests (maintaining good customer service)
Communicating with you about your application,
account, or contract; providing support
Service improvements and business operations
Legitimate interests (to improve services and operate efficiently)
Monitoring system performance, analysing trends,
improving services, staff training
Marketing and communications
Legitimate interests (for B2B marketing) or Consent (where required under PECR)
Sending information about products
and services relevant to your business
Legal claims and enforcement
Legitimate interests (protecting our rights) and Legal obligation
Establishing, exercising, or defending legal claims; enforcing agreements
Use of third party data sources
Consent (where you authorise us to connect to third parties) and/or Performance of a contract
Accessing accounting software, bank feeds,
or data from introducers
To create aggregated market research, from which all personal data is removed
Legitimate interests – so we can keep going as a business and continue to provide a service, we may provide aggregated market research services, from which all personal data is removed, to other businesses in return for revenue
Account Information, Transactional Information, Additional Personal Information
To comply with regulatory and audit requirements
Legal obligation
Mandatory Information
Sharing & Disclosure
We may share your personal data with carefully selected third parties where this is necessary for the purposes described in this Privacy Policy, and always in compliance with data protection law. These include:
Credit reference agencies (CRAs) – to assess the creditworthiness of your business and its principals, and to record details of any credit agreements. This may affect the credit history of individuals associated with the business.
Fraud prevention agencies – to help detect, investigate, and prevent fraud, money laundering, and other financial crime. Information shared may be used by other organisations to make similar checks.
Regulators, law enforcement, and government bodies – where disclosure is required to meet our legal and regulatory obligations, such as the Financial Conduct Authority (FCA), HMRC, or the Information Commissioner’s Office (ICO).
Service providers and professional advisers – including IT and cloud hosting providers, auditors, legal advisers, payment processors, and analytics firms who support us in delivering our services. These parties are bound by strict contractual obligations to safeguard your data.
Commercial partners, brokers, or introducers – where your business was introduced to us by a partner, we may share relevant updates or information with them to manage the referral relationship.
Business transfers – in the event of a merger, acquisition, corporate restructuring, or sale of assets, your data may be transferred to the new entity as part of the business continuity process.
We do not sell your personal data to third parties. All third parties with whom we share data are required to maintain appropriate security and confidentiality measures, and they may only use the data for the purposes we specify.
Credit Check Notice
When you apply for business finance with Shuffle Finance, we may carry out credit checks on both your business and the principals of the business (such as directors, shareholders, guarantors, or beneficial owners).
These checks may involve:
Searching your personal credit records at one or more credit reference agencies (CRAs);
Linking the records of individuals financially associated with the business application;
Recording details of the search on your personal credit file, whether or not the application proceeds.
The CRAs will supply us with information about you, and they will also record details of our search. Other lenders may see this information and it may affect your ability to obtain credit in the future.
We may also share information about how your business manages its account (including defaults and repayment performance) with CRAs. This information may be used by other organisations to:
Make lending and credit-related decisions;
Trace debtors and recover debts;
Prevent fraud and financial crime;
Verify identity and conduct anti-money laundering checks.
CRA Bureau Privacy Notices (BPNs)
Each CRA is a data controller in its own right. To understand how they use and share personal data, please refer to their Bureau Privacy Notices (also known as CRAINs):
TransUnion: https://www.transunion.co.uk/bureau-privacy-notice
Experian: https://www.experian.co.uk/crain
Equifax: https://www.equifax.co.uk/crain
These notices explain in detail the role of CRAs, the type of data they hold, how they share it, and your rights in relation to your credit information.
International Transfers
Shuffle Finance is based in the United Kingdom, and the majority of your personal data is processed within the UK. However, some of our service providers or partners may be located outside the UK, or may store data on servers in other countries.
Where your personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect it, in line with UK data protection law. These safeguards may include:
Adequacy regulations – transfers to countries that the UK government has determined provide an adequate level of data protection (for example, the EU/EEA).
Standard Contractual Clauses (SCCs) – legally binding agreements approved by the UK government to ensure your data remains protected.
Other recognised safeguards – such as certification schemes or binding corporate rules, where applicable.
If no appropriate safeguards are available, we will only transfer your personal data with your explicit consent or where the transfer is necessary for the performance of a contract or for important reasons of public interest.
You can contact us at any time for more information about the safeguards we apply to international transfers.
Data Retention
We will only retain your personal data for as long as is reasonably necessary to fulfil the purposes we collected it for, including to satisfy legal, regulatory, tax, accounting, or reporting requirements.
In particular:
During your relationship with us – we will keep personal data for the duration of any finance application, agreement, or account.
After your relationship ends – we typically retain data for a period of up to six (6) years from the end of our relationship. This period reflects limitation periods for bringing legal claims and our obligations under financial services, anti-money laundering, and tax laws.
Longer retention – in some cases we may keep data for longer if:
It is required by law (e.g. certain financial or compliance records);
It is necessary for ongoing legal claims or regulatory investigations; or
You have consented to us retaining it for a longer period (e.g. for marketing preferences).
Once the applicable retention period has expired, we will securely delete or anonymise your personal data so that it can no longer be associated with you.
Your rights in relation to personal data
Under the General Data Protection Regulation (EU) 2017/676, you have various rights in relation to your personal data. All of these rights can be exercised by contacting us at help@shuffle.finance.
You have the following rights in relation to your personal data:
12.1. Right to Rectification:
We will use reasonable endeavours to ensure that your personal information is accurate. In order to assist us with this, you should notify us of any changes to the personal information that you have provided to us by sending us a request to rectify your personal data where you believe the personal data we have is inaccurate or incomplete.
12.2. Right to erasure / ‘Right to be forgotten’
Asking us to delete all of your personal data will result in Shuffle deleting your personal data without undue delay (unless there is a legitimate and legal reason why Shuffle is unable to delete certain of your personal data, in which case we will inform you of this in writing).
12.3. Right to restriction of processing
You have the right to ask us to stop processing your personal data at any time.
12.4. Right to data portability
You have the right to request that Shuffle provides you with a copy of all of your personal data and to transmit your personal data to another data controller in a structured, commonly used and machine-readable format, where it is technically feasible for us to do so.
12.5. Right to complain
You have the right to lodge a complaint to a supervisory authority such as the Information Commissioner’s Office in the UK (see www.ico.org.uk). Although we encourage our customers to engage with us in the event they have any concerns or complaints.
12.6. Right to object to discussions based solely on automated processing
You have the right to not be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significant effects and to obtain human intervention, to express your point of view or contest the decision.
Marketing & Communications
We may use your personal data to keep your business informed about products, services, and offers that we believe may be relevant to you.
Business-to-business marketing – As we provide services to businesses, we may contact you in your professional capacity (for example, by email or telephone) about Shuffle Finance products and services. This is permitted under data protection and electronic communications law, provided we give you the opportunity to opt out.
Consent-based marketing – In some circumstances, we will ask for your explicit consent before sending you marketing communications (for example, where required under the Privacy and Electronic Communications Regulations).
Opting out – You can opt out of receiving marketing communications from us at any time by:
Clicking the “unsubscribe” link in our emails,
Following the opt-out instructions in our text messages, or
Contacting us directly at [Insert privacy contact email].
Even if you opt out of marketing, we may still send you service-related communications (such as updates about your application, loan agreement, or account).
Security Measures
We take the protection of your personal data seriously and implement a range of technical and organisational measures to keep it secure. These include:
Data security controls – such as encryption, secure servers, firewalls, and access restrictions to protect against unauthorised access, alteration, disclosure, or loss.
Access management – ensuring that only authorised staff, contractors, and service providers have access to personal data, and only where it is necessary for their role.
Training and awareness – providing regular data protection and information security training to our employees.
Monitoring and testing – maintaining logs, monitoring systems, and carrying out regular security reviews and penetration testing.
Third-party due diligence – requiring our service providers to meet strict contractual obligations in relation to confidentiality, security, and data protection.
While we take all reasonable steps to safeguard your data, no system or transmission of information via the internet can be guaranteed to be completely secure. We encourage you to use strong passwords, keep your login details confidential, and notify us immediately of any suspected security issues
Data Protection by Design & DPIAs
We incorporate data protection principles into the way we design and operate our services. This means that privacy and security considerations are embedded into our systems, processes, and decision-making from the outset (“data protection by design and by default”).
In particular, we:
Limit the personal data we collect to what is necessary for the stated purpose;
Apply measures such as pseudonymisation, encryption, and access controls;
Regularly review data processing activities to ensure they remain necessary and proportionate;
Train staff to understand their data protection responsibilities.
Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals (for example, extensive credit checking or fraud monitoring), we carry out a Data Protection Impact Assessment (DPIA). DPIAs help us identify and minimise risks, and demonstrate compliance with UK GDPR requirements.
How to contact us
If you have questions or concerns about our privacy practices, your personal information, or if you wish to file a complaint you can contact us at the above address or by email at help@shuffle.finance
Linking to other websites / third-party content
Where we link to external sites and resources from our website this does not constitute endorsement and Shuffle takes no responsibility for any linked website
Change to this policy
Any changes we make to our privacy policy in the future will be posted on this page, and where appropriate, notified to you by email or notifications via the App. We therefore encourage you to review it from time to time to stay informed of how we are processing your information.Data protection is the fair and proper use of information about people. At Shuffle we want you to trust us and that starts with you trusting us to look after your data responsibly. We take your data seriously and as a minimum will comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Change to this policy