Data and Privacy Policy.

Sencillo is a broker that facilitates access to education-related financial services. We operate a platform that connects customers with a marketplace of regulated lenders for the purpose of financing educational fees, such as nursery, school, or university tuition. We do not provide loans ourselves, nor do we hold client funds.

Sencillo is committed to protecting the privacy and security of your personal data. This document sets out our procedures for handling personal data and includes our Privacy Notice and UK GDPR compliance policy. It applies to all staff, contractors, and third-party service providers processing personal data on our behalf.

2. Privacy Notice

2.1 Who We Are

Sencillo Finance (“we”, “our”, “us”) is a consumer lending business registered in the UK. We act as the data controller of personal data for the purpose of providing financial services to our customers.

2.2 What Data We Collect

We collect different types of information to help us provide and improve our services. This includes:

• Information you give us when you register with us, such as your name, contact details, and financial information.

• Information we collect based on how you use our website or app, like your device type, browsing behaviour, and app usage.

• Information collected through cookies and similar technologies. For more details, please refer to our Cookies Notice.

Information you may give us includes:

• Title, name, and date of birth

• Email address and phone number

• Residential address and address history

• Employment details and income

• Monthly expenditure and financial commitments

• Bank and account information (e.g. account number, sort code, credit card number)

• Passport or driving licence details

• Property value, deposit amount, borrowing requirements

• Rental income or mortgage details

• Lifestyle details, where relevant

• Additional identity information you choose to share, such as photo ID, selfie video, or other documents like utility bills or bank statements
  
  

2.3 How We Collect Your Data

• Direct interactions via our website, app, or customer service team.

• Automated technologies through cookies and analytics tools.

• Third parties such as credit reference agencies and fraud prevention bodies.
  
  

2.4 Why We Use Your Data

• To enable our partners to assess loan eligibility and affordability.

• Prevent fraud and ensure regulatory compliance.

• Communicate with you about your account and product updates.

• Improve our products and customer experience.
  
  

2.5 Lawful Bases for Processing

We process data under the following lawful bases:

• Contractual necessity

• Legal obligation

• Legitimate interest

• Consent
  
  

2.6 Data Sharing and Transfers

We may share your data with:

• Credit reference agencies

• Payment providers and banking partners

• IT and analytics service providers

• Regulatory and fraud prevention bodies
  
  

Where we transfer data outside the UK, we ensure appropriate safeguards are in place.

2.7 Data Retention

We retain personal data for:

• 6 years after account closure

• Longer if required for regulatory, legal or dispute resolution purposes.
  
  

2.8 Your Rights

You have rights under UK GDPR, including:

• Access your data

• Correct or update your data

• Erasure (‘right to be forgotten’)

• Object to or restrict processing

• Data portability

• Withdraw consent at any time

To exercise your rights, contact: privacy@sencillo.finance

2.9 Complaints

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): www.ico.org.uk

3. UK GDPR Compliance Policy

3.1 Governance

• The Data Protection Officer (DPO) oversees all data privacy matters.

• Staff must complete annual data protection training.

• Data protection is embedded into all products via Privacy by Design and Default.
  
  

3.2 Data Protection Impact Assessments (DPIAs)

DPIAs are mandatory for high-risk processing, including:

• Automated credit decisions

• Large-scale profiling

• Use of new technology involving personal data
  
  

3.3 Security Measures

We implement appropriate technical and organisational measures including:

• Encryption at rest and in transit

• Role-based access controls

• Regular security audits

• Incident response and breach notification protocols
  
  

3.4 Data Subject Requests (DSRs)

• All DSRs must be acknowledged within 1 working day.

• Fulfilment will be completed within 30 calendar days.

• All requests must be logged and tracked.
  
  

3.5 Data Breaches

• All staff must report potential breaches immediately.

• The DPO will assess and, if necessary, report to the ICO within 72 hours.

• Affected individuals will be notified when required.
  
  

3.6 Record of Processing Activities (RoPA)

We maintain a live RoPA covering:

• Categories of data

• Purposes of processing

• Recipients

• Retention periods

• Security measures
  
  

3.7 Third-Party Management

All data processors must:

• Sign a Data Processing Agreement (DPA)

• Comply with UK GDPR

• Undergo periodic privacy and security assessments
  
  

4. Review and Updates

This document will be reviewed annually or after significant changes to data protection laws or our processing activities.

Contact Us

Data Protection Officer (DPO)
Email: privacy@sencillo.finance
ICO reference number: ZB907865
Address: 20 Wenlock Road, London, England, N1 7GU

Sencillo Finance Ltd is a company registered in England & Wales with company number: 15992336