Privacy Notice

Our Privacy Notice

This Privacy Notice applies to personal data that is held and processed by the Reward Finance Group
(“Reward”).

References to Reward and the Reward Group in this Privacy Notice are and applies to each of the
companies listed below. All of these companies are registered with the Information Commissioner’s
Office with the ICO registration numbers given. You will also note our registration numbers at
Companies House:

(a) Reward Capital Limited (ICO registration number ZA104349 and company number
09432492 );

(b) Reward Invoice Finance Limited (ICO registration number ZA104340 and company
number 09432479);

(c) Reward Capital (A) Limited (ICO registration number ZB542173 and company number
13558424);

(d) Reward Invoice Finance (A) Limited (ICO registration number ZB542175 and company
number 13558429);

(e) Reward Finance Group Limited (ICO registration number ZB540835 and company number
7385919);

(f) Reward SPV1 Ltd (ICO registration number ZB542237 and company number 12373901);

(g) Reward SPV2 Ltd (ICO registration number ZB542241 and company number 12518501);

(h) Reward Asset Finance Ltd (ICO registration number ZB664453 and company number
13919550).

All of the Reward Group companies have their registered office at 12 King Street, Leeds, LS1 2HL.

Reward takes the utmost care in its processing of personal data. This notice applies to clients of
Reward, including their directors and shareholders, prospective clients of Reward (being individuals
with whom Reward is actively engaging with the intention that they become clients), clients of Reward
(including those who provide personal guarantees and third party security providers), contacts of
Reward (being individuals with whom Reward may promote Reward products), introducers to Reward,
suppliers to Reward and individuals who visit our website
at http://www.rewardfinancegroup.com/ (“Website”). By visiting the Website, you are accepting and
consenting to the practices described in this privacy policy. If you do not consent, please do not submit
any personal data to us.

When we process your personal data we are required to comply with the Data Protection Act 2018
and the UK General Data Protection Regulation and associated laws (Data Protection Laws).
Your personal data includes all the information we hold that identifies you or is about you, including
but not limited to information you give us by completing enquiry forms on the Website or by
corresponding with us by phone, email or otherwise. The information you give us may include your
name, email address, postal address, date of birth, location data and in some cases opinions that we
document about you.

Everything we do with your personal data counts as processing it, including collecting, storing,
amending, transferring and deleting it. We are therefore required to comply with the Data Protection
Laws to make sure that your information is properly protected and used appropriately.

This notice provides information about the personal data we process about you, why we process it
and how we process it.

Our responsibilities

Reward is the data controller of the personal data you provide. We have appointed Tim Stafford as
our privacy officer and he will have day to day responsibility for ensuring we comply with the Data
Protection Laws and dealing with any requests we receive from individuals exercising their rights
under the Data Protection Laws.

Your responsibilities

It is important that you read this privacy notice together with any other privacy notice or fair
processing notice we may provide on specific occasions when we are collecting or processing personal
data about you so that you are fully aware of how and why we are using your data. This privacy notice
supplements the other notices and is not intended to override them.

It is important that the personal data we hold about you is accurate and current. Please keep us
informed if your personal data changes during your relationship with us.

Why do we process your personal data and what personal data is involved?

Exactly what personal data we process, and why we process it, will depend upon the relationship you
have with Reward.

We may need personal data from you to be able to enter into a contract with you and provide you
with all the information you need. If we do not receive that personal data from you, we may be unable
to fulfil our obligations to you.

It is important to note that whether you are a client or providing security that we share some
information with CIFAS. Please see below under the heading CIFAS for details about this.

1.Our clients

We hold and process data about our business customers, being directors, persons with significant
control, shareholders, partners and / or sole traders. In this regard we hold data relating to those
individuals.

The personal data that Reward processes for clients and potential clients may comprise
Names; business email addresses; personal email addresses; dates of birth; copies of certified
identification documents (passports, driving licences, utility bills; marriage certificates); dependents
details; home addresses; business addresses; vehicle details; details of personal assets and liabilities;
addresses of land owned as assets; mortgage statements; business bank statements; personal bank
statements; EPC; gas and electrical safety certificates; lease documents (whether for personal or
business properties); insurance details (whether for personal or business properties); director
searches; credit (consumer) reports; director searches; bankruptcy search results; anti-money
laundering reports; management and audit accounts. business and personal bank statements.
In each case, Reward recognises that some of the above may not comprise personal data under a strict
interpretation of the Legislation but nevertheless as a matter of good conduct this policy will apply to
this data in terms of security and processing.

It is necessary for us to process the data obtained for the purpose of a contract with these business
customers, or in anticipation that we may enter into a contract with these clients. It is also on the basis
that it is necessary in our legitimate interests to prevent fraud and money laundering, to verify
identity, in order to protect our business and to comply with applicable laws.

We hold and process this data even if the transaction does not proceed.

Once a contract has been fulfilled with a business client, or once the account ends or becomes inactive,
we will retain some of the data as we consider it necessary to do so in our legitimate interests but also
in the legitimate interests of the former client in order to assist in future business relationships with
them and facilitate those relationships. maintain contact, advise them of new products, special offers
and events. This is set out in further detail below.

As we hold this data on the basis of our legitimate interests, you can opt out of this at any time by
emailing is at privacy@rewardcf.com

In each case, it should be recognised that some of the above may not comprise personal data under a
strict interpretation of the Data Protection Laws but nevertheless as a matter of good conduct we will
apply to this data in terms of security and processing.

2. Individuals providing security

We hold and process data about individuals who are the owners of businesses (whether directors,
shareholders, partners) who provide security for finance provided to and on behalf of their business
or from any other third party security provider.

This data may comprise names, email addresses; personal addresses; telephone contact numbers;
dates of birth; copies of certified identification documents (passports, driving licences, utility bills);
home addresses; details of assets and liabilities; addresses of land owned as assets; mortgage
statements; EPC; gas and electrical safety certificates; insurance details; director searches; credit
reports; bankruptcy search results; business and personal bank statements.

It is necessary for us to hold this data as it is in the legitimate interests of our business, the businesses
to whom we provide finance, and also the individuals themselves. We process this data for the
purposes of the security provided and if necessary to enforce our rights. It is also on the basis that it
is necessary in our legitimate interests to prevent fraud and money laundering, to verify identity, in
order to protect our business and to comply with applicable laws.

Once a contract has been fulfilled with the business, a loan has been repaid in full, or once the account
ends or becomes inactive, we will retain some of the data as we consider it necessary to do so in our
legitimate interests but also in the legitimate interests of the former customer in order to assist in
future business relationships with them and facilitate those relationships. maintain contact, advise
them of new products, special offers and events. This is set out in further detail below.

As we hold this data on the basis of our legitimate interests, you can opt out of this at any time by
emailing is at privacy@rewardcf.com
In each case, it should be recognised that some of the above may not comprise personal data under a
strict interpretation of the Data Protection Laws but nevertheless as a matter of good conduct we will
apply to this data in terms of security and processing.

3.Third parties

We hold data of other companies, businesses, organisations or associations who supply goods and /
or services to us or with whom we have a professional relationship or potentially common interest.
This includes promotion of our business and developing our services and evaluating our performance.
The data we process in relation to such third parties comprises business / organisation names, contact
names, addresses, email addresses, telephone numbers and, where we obtain goods and / or services,
details of orders placed, values, and quotations.

We process this data as we consider it necessary in our legitimate interests to enhance and preserve
such relationships.

As we hold this data on the basis of our legitimate interests, you can opt out of this at any time by
emailing is at privacy@rewardcf.com

4.Visitors to our website

When you visit or use the website, we process information by way of the use of analytics to collect
information about you by way of cookies. For more information about the cookies we use and how
long the data taken will be retained for by us please see our Cookie Policy which can be found on our
website.

We believe it is necessary for these cookies to use your data on the lawful basis that it is in the
legitimate interests of our business for the purpose that we need to use these cookies to monitor use
of our website, track the use of our website, to keep our website updated and relevant, to develop
our business, to inform our marketing strategy and to improve and develop website performance. It
is also necessary for us to use these cookies to enhance and assist a visitor’s experience when using
our website.

We will only use the cookies for these purposes.

Our website uses cookies to distinguish you from other users of the Website. for detailed information
on the cookies we use and the purposes for which we use them, please see our Cookie Policy

Cookie Policy

CIFAS

Before we provide any financing we undertake checks for the purposes of preventing fraud and money
laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third
parties will be used to prevent fraud and money laundering, and to verify the identity of individuals.

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by www.cifas.org.uk/fpn.

We and fraud prevention agencies may also enable law enforcement agencies to access and use
your personal data to detect, investigate and prevent crime.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are
considered to pose a fraud or money laundering risk, your data can be held for up to six years.

Who else will we share your personal data with?

We only transfer and share your personal data to the extent we need to. Aside from CIFAS (above),
recipients of your personal data include:

• Other group companies within Reward where this is necessary for ordinary entry and
management of contracts;

• legal and financial advisors in relation to our entry and management of any contract we have
with you;

• professional organisations that provide services relating to the provision of our services, for
example valuation specialists and surveyors;

• credit reference organisations in relation to any credit reference, customer identification or
anti-money laundering checks;

• We will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at http://www.experian.co.uk/crain/.

• third party providers of network services, for example email distribution systems and data
centre providers; or

• The data taken by cookies on our website will also be shared with our website provider / host.
We share your personal data with any member of our group, which means our subsidiaries, our
ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.
This may involve transferring your data outside the European Economic Area (EEA). We ensure your
personal data is protected by requiring all our group companies to follow the same rules when
processing your personal data.

How long will we keep your personal data?

We will retain your personal data for 7 years. We retain your information for this period in case any
issues arise or in case you have any queries. Your information will be kept securely at all times.
Following the end of the 7 year period, your files and personal data we hold about you will be
permanently deleted or destroyed. If we are required to obtain your consent to send you marketing
communications, any information we use for this purpose will be kept until you withdraw your
consent, unless we have other legitimate reasons to retain the data.

However, we may retain some basic contact data indefinitely where it is held in our legitimate
interests for marketing or business development purposes. We do not consider that doing so affects
the fundamental rights and freedoms of those to whom this personal data relates.

What are your rights?

You benefit from a number of rights in respect of the personal data we hold about you. We have
summarised your rights below, and more information is available from the Information
Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr/individual-rights/). These rights apply for the period in which we process
your data.

Access to your data

You have the right to ask us to confirm that we process your personal data, as well as access to / copies
of your personal data. You can also ask us to provide a range of information, although most of that
information corresponds to the information set out in this notice.
We will provide the information free of charge unless your request is manifestly unfounded or
excessive or repetitive, in which case we are entitled to charge a reasonable fee.
We will provide the information you request as soon as possible and aim to do so wherever possible
within one month of receiving your request. If we need more time, or more, information to comply
with your request, we’ll let you know.

Rectification of your data

If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify
that information. We will comply with your request within one month of receiving it, unless we don’t
feel it’s appropriate in which case we’ll let you know why. We’ll also let you know if we need more
time to comply with your request.

Right to be forgotten

In some circumstances, you have the right to ask us to delete personal data we hold about you. This
right is available to you:

• where we no longer need your personal data for the purpose for which we collected it;

• where we have collected your personal data on the grounds of consent and you withdraw that
consent;

• where you object to the processing and we don’t have any overriding legitimate interests to
continue processing the data;

• where we have unlawfully processed your personal data (i.e. we have failed to comply with
UK GDPR); and

• where the personal data has to be deleted to comply with a legal obligation.
There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those
apply, we’ll let you know.

Right to restrict processing

In some circumstances you are entitled to ask us to suppress processing of your personal data. This
means we will stop actively processing your personal data but we don’t have to delete it. This right is
available to you:

• if you believe the personal data we hold isn’t accurate – we’ll cease processing it until we can
verify its accuracy;

• if you have objected to us processing the data – we’ll cease processing it until we have
determined whether our legitimate interests override your objection;

• if the processing is unlawful; or

• if we no longer need the data but you would like us to keep it because you need it to establish,
exercise or defend a legal claim.

Data portability

You have the right to ask us to provide your personal data in a structured, commonly used and
machine-readable format so that you are able to transmit the personal data to another data controller.

This right only applies to personal data you provide to us:

• where processing is based on your consent or for performance of a contract (i.e. the right does
not apply if we process your personal data on the grounds of legitimate interests); and#

• where we carry out the processing by automated means.

We’ll respond to your request as soon as possible and in any event within one month from the date
we receive it. If we need more time, we’ll let you know.

Right to object

You are entitled to object to us processing your personal data:

• if the processing is based on legitimate interests or performance of a task in the public interest
or exercise of official authority;

• for direct marketing purposes (including profiling); and/or

• for the purposes of scientific or historical research and statistics.

In order to object, you must have grounds for doing so based on your particular situation. We will stop
processing your data unless we can demonstrate that there are compelling legitimate grounds which
override your interests, rights and freedoms or the processing is for the establishment, exercise or
defence of legal claims.

Automated decision making

Automated decision making means making a decision solely by automated means without any human
involvement. This would include, for example, an online credit reference check that makes a decision
based on information you input without any human involvement. It would also include the use of an
automated clocking-in system that automatically issues a warning if a person is late a certain number
of times (without any input from HR, for example).

We don’t carry out any automated decision making using your personal data.

Your right to complain about our processing

If you think we have processed your personal data unlawfully or that we have not complied with Data
Protection Laws, you can report your concerns to the supervisory authority in your jurisdiction. The
supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO
on 0303 123 1113 or get in touch via other means, as set out on the ICO website
– https://ico.org.uk/concerns/.

Any questions?
If you have any questions or would like more information about the ways in which we process your
data, please contact privacy@rewardcf.com