1. Introduction and Summary
At ILOCX, we are committed to protecting the personal data of the companies and buyers who use our platform.
- how and when we collect your personal data, and what information we collect;
- what we use your personal data for;
- who we share your personal data with;
- how long we hold your personal data for; and
- your rights to control your personal data.
2. How and when do we collect your information and what do we collect?
If you engage with us in any way, we may collect the following information about you through the methods of contact you choose to use at the point of engagement:
- information you provide through our website and through our application and verification processes;
- information you provide through communications with us, whether in writing (including by letter or email) or on the telephone (including by way of recorded calls);
- information we obtain through your engagement with us on social media, including on blogs, forums and through Facebook and Twitter; and
- information provided on your behalf by your representatives or agents (“Agents”) who engage with us on your behalf in the ways described above.
From time to time we obtain information from outside sources to help us carry out our business functions. This information, which often contains personal data, includes:
- information and reports from credit reference agencies, fraud prevention agencies, insolvency practitioners, debt advisers and tracing agents;
- commercial databases and marketing databases; and
- public records and other publicly available information sources.
If you wish to become a member of ILOCX you will need to provide us with the following information, which we sometimes also collect from third parties:
- your personal details (including name, current and previous postal addresses);
- your contact information (including phone and e-mail details);
- (for companies, those representing companies and relevant License buyers) your business name and contact information;
- financial information (including bank or building society account details and details of debit cards used to make transfers on ILOCX);
- information you provide in our registration or application processes (including, if you are a company, Agent or relevant License Buyer, certain personal data, identity verification, contact details and financial information about directors, partners, members, shareholders, beneficial owners and guarantors);
- information you provide in your dealings with us and through your interaction with ILOCX;
- if you are a company or a director, partner, member, shareholder, beneficial owner or guarantor of a company:
- information about your business or company, such as the conduct of your accounts, and similar credit information;
- credit reference checks (see section 7 below for more detail);
- electoral register information;
- fraud prevention information; and
- passwords and answers to security questions.
In addition to the personal and financial information you submit or we collect as described above, we will also collect information about your computer (including, where available, your IP address, operating system and browser type), your interaction with ILOCX and website, and email performance data.
We also collect and retain:
- copies of our correspondence with you as well as other data we collect relating to your activities on ILOCX and your arrangements with ILOCX;
- details about visitors to our website for the purposes of aggregating statistics or reporting purposes and to calculate referral fees; and
- comments made on blogs and discussion forums in connection with ILOCX.
We generally do not seek to collect sensitive personal data (also known as ‘special categories of data’). However, we are occasionally given sensitive personal data of officers of companies (such as criminal records) as part of our KYC investigations.
If you provide information about other people (for example, if you represent a company and you provide information about directors, partners, members, shareholders or beneficial owners other than yourself) then you must:
- when providing information about other people, ensure that you have all relevant permissions and authority: (i) to make all those disclosures; (ii) to act on their behalf; and (iii) in relation to partners, members, shareholders or beneficial owners of companies.
3. Using your information
We collect, store and use your personal data:
- to inform you of ILOCX's developments and activity and of changes to our products and services;
- to develop and improve our services, products and business, including analysing and improving our credit risk models and our customer service offering;
- if you are a company (or a director, partner, member, shareholder, beneficial owner or guarantor of a company):
- to ascertain your capital needs;
- to assess your company to ascertain if licensing is suitable for you;
- to verify any royalties you have proposed under the licence agreements with your License buyers;
- to transfer money;
- to carry out mandatory or other regulatory checks;
- to comply with our legal and regulatory obligations;
- to carry out statistical analysis and market research and testing;
- to contact you (including by SMS and e-mail) with products and services which ILOCX think may interest you (at all times taking into consideration your rights at law including your right to opt-out from receiving marketing from us);
- to open accounts with us and to manage and maintain those accounts;
- to verify your identity and the other information you have provided to us, including your bank account information and (if relevant) the identity of your business associates;
- to update the records we hold about you from time to time;
- to provide and administer ILOCX and our related services; and
- for the prevention and detection of fraud, money laundering, or other illegal or criminal activity.
Where relevant, we will hold and process your sensitive personal data to allow us to make decisions about you and your accounts with us or with which you are connected. This may involve us sharing your sensitive personal data with your Agents. We will process sensitive personal data only in accordance with our legal rights and obligations. If this processing is carried out with your consent, at the point of collection you will be informed of your right to withdraw that consent at any time, and the process for doing so.
We continually review the legal basis for us using your personal data in the ways described above. In most instances it is in our legitimate interests to use your information in the manner described above to provide you with the services we offer. We consider this data processing to be proportionate and not prejudicial or detrimental to you. In some, specific circumstances, the processing is necessary for the performance of a contract to which you are a party, necessary for compliance with a legal obligation to which we are subject, or necessary in order to protect your vital interests or the vital interests of other small business owners or License buyers. We sometimes rely on consent, and in those instances we have processes in place to ensure that we obtain your freely-given and informed consent to use your personal data for agreed, specific purposes.
We use the information we collect about your computer for: (i) our legitimate purposes; (ii) platform administration; and (iii) service improvement. Our Cookies Policy is that we have one cookie which is solely used to keep you logged in to your account. We do not serve any marketing, advertising or tracking cookies.
4. Sharing and disclosing your information
We may disclose your personal data to other registered members of ILOCX, including:
- to operate ILOCX;
- in the licence agreement between companies and License buyers;
- to allow companies to provide promotional materials, news and updates to their License Buyers;
- to provide transactional and performance information;
- to provide updates; and
- if required to assist in arbitration, or, if required following the results of arbitration, to assist License Buyers to enforce (or make preparations to enforce) any royalty payment due under the licence agreement.
If you, as a registered member of ILOCX, receive information about another registered member, then you must only use that information to communicate with us about your licence contract with that member. You acknowledge that we are not responsible for misuse of transactional or other information by other members but you must inform us promptly if you are the victim of any misuse of that information.
We may disclose your personal data:
- to companies in our group and our affiliates;
- to our suppliers, sub-contractors and third party data processors (including card payment and direct debit payment processors, marketing and data analytics service providers, collection agents, tracing agents, insolvency practitioners, professional advisers and persons who provide us with the following services from time to time: identification and fraud check; marketing; technology; platform support; and back-up and business continuity);
- with any third party you have asked us to share your personal data with, including social media sites if you have asked us to connect with your social media account;
- to credit reference and fraud prevention agencies (see sections 7 and 8 below for more information on this);
- to a third party if it acquires all or part of our business or assets in connection with the acquisition, or to a successor in interest in the unlikely event of our insolvency, winding up or liquidation;
- if we are required to do so by applicable law and regulation or by any governmental, tax, regulatory body or law enforcement agency;
- if you are represented by an Agent, to your Agent; and
- to any other person with your prior consent to do so.
Third parties who process your personal data on our behalf are only permitted to process your personal data in accordance with our instructions and we take steps to ensure that the transfer and any on-going processing by those third parties is carried out securely and in accordance with applicable privacy laws.
Save as expressly provided above, or otherwise without your consent, we will not share your personal data with any third party.
5. Data Retention
We will not keep your personal data for longer than is necessary for the purposes for which it was collected and is processed and for the purposes of satisfying our legal, accounting or regulatory reporting requirements. These requirements generally permit us to retain our company and License Buyer files for a period of six years after the end of the licence relationship (i.e. the date on which we no longer provide services to you as a company or License Buyer). We may retain data for longer than this in certain circumstances, for example in the event of an ongoing dispute.
6. Overseas Transfers
We are part of a global group of companies and, in order to support our business in the most efficient manner possible, we share infrastructure and functions across our business internationally. This means that we may transfer your personal data to, or your personal data may be accessible in, any location in which we do business. If your information is transferred to or accessible in a country which is not considered by the European Union to adequately protect of personal data (such as the USA), we will always take steps to ensure that your information is protected and that those transfers comply with applicable privacy laws.
We may transfer your information to other countries, including those outside the European Economic Area, either for storage purposes or if we engage suppliers, sub-contractors or third party data processors who are based or have operations overseas. We will always take steps to ensure that your information is protected and that those transfers comply with applicable privacy laws.
7. Credit Reference Agencies (“CRAs”)
From time to time we undertake credit reference checks against companies and License Buyers (and against directors, partners, members, shareholders and beneficial owners of companies and License Buyers), guarantors and Agents:
- as part of the application process, to assess creditworthiness and product suitability;
- for general credit management, account management and identity/know-your-customer (KYC) checks during the term of a listing agreement;
- to trace and recover debts if there are late repayments or default; and
- to prevent criminal activity.
In order to do this, we will supply your personal information to CRAs and they will give us information about you, such as about your financial history. When CRAs receive a search request from us they will:
- place a credit search “footprint” on your business credit file following each credit application, whether or not your application proceeds. If the search was for a credit application the record of that search may be seen by other organisations when your business applies for credit in the future;
- place an enquiry or organisational search on the personal credit files of directors, partners, members, beneficial owners and shareholders that have been searched, as well as an associate enquiry search on your personal financial partner’s credit file, if they are a director;
- link together the previous and subsequent names advised by you of anyone that is a party to the account;
- place an enquiry or identification search on the record of any shareholder or beneficial owner and who we have checked; and
- create a record of the name and address of your business and its proprietors (if there is not one already).
We will give details of all licences taken through our marketplace and how they are managed to the CRAs. If you enter into a licence and do not pay royalties in full and on time, the CRAs will record the outstanding debt and, in some cases, the length of time that the debt remains outstanding; other organisations may see these updates and this affect your ability to obtain credit in the future.
We will also continue to exchange information about you with CRAs on an ongoing basis about your settled accounts and any debts not fully repaid on time. CRAs will share this information with other organisations.
Any records shared with CRAs will remain on file for six years after your account is closed, whether any outstanding sums have been settled by you or following a default. You can contact the CRAs currently operating in the UK. The information they hold may not be the same so you may consider contacting them all. They will charge you a small statutory fee.
8. False information and Fraud Prevention Agencies (“FPAs”)
If we suspect or identify fraud we may record this and may also pass this information to FPAs (such as CIFAS) and other organisations involved in crime and fraud prevention including law enforcement agencies. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services you have requested, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.
Whenever fraud prevention agencies transfer your personal data outside the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to “international frameworks” intended to enable data sharing.
9. Your rights
You may, at any time:
- exercise your right to request access to certain personal data records we hold about you (a subject access request), by emailing firstname.lastname@example.org with the subject line “subject access request”;
- request that we update and correct any out-of-date or inaccurate personal data we hold about you by emailing email@example.com with the subject line “data update request”, and also log-in to your ILOCX account and make changes yourself;
- contact us to register your preferences for how we contact you at firstname.lastname@example.org
- opt out of any marketing communications that ILOCX may send you by emailing us at email@example.com, or writing to our Data Protection Officer at 23 Northumberland Avenue, London WC2N 5AP or by following the link on any email marketing you have received or by following the appropriate opt-out procedures that we include on all marketing materials;
- exercise your right to object to our continued processing or your right of erasure, neither of which is a guaranteed or absolute right. We will consider all requests of this nature and take into account any compelling legitimate grounds to continue processing, for example our need to continue to process your personal data in connection with any legal or regulatory requirements to which we are subject; and
When you contact us, we will need you to provide us with adequate information to identify yourself to enable us to assist you in fulfilling your request. We will deal with your request as soon as possible.
You may also request that the CRAs we use provide you with information that they hold about you. You must contact them directly to do this.
10. Security and other Third Parties
ILOCX takes appropriate technical and organisational measures to safeguard the personal data that you provide to us, but we accept no liability if communications are intercepted by third parties or incorrectly delivered or not delivered.
If we transfer your information to third parties we will take steps to ensure that the transfer and any on-going processing by those third parties is carried out securely and in accordance with applicable privacy laws.
You also have a responsibility to ensure that your information is kept secure. If you are a member of our marketplace, you must:
- keep your login details secret;
- log out of your account when not using it;
- maintain good internet security (for example, be careful when using public WiFi or shared access internet connections); and
- tell us immediately if you think your account has been compromised.
11. Contact Details
- If you have concerns about how we manage your personal data, you can make a complaint to the UK Data Protection Authority, the Information Commissioner’s Office. You can find their contact details here: https://ico.org.uk/global/contact-us/.
12. About ILOCX
ILOCX Limited is a company incorporated in England and Wales, with registered number 11077776 and registered office at 23 Northumberland Avenue, London, WC2N 5AP. ILOCX Limited is registered with the Information Commissioner with registration number ZA496521.