Privacy Policy
Last updated: 30 January 2026
1. Introduction
Cairnstone Capital Ltd ("we", "us", "our") is committed to protecting your privacy and handling your personal data responsibly. This privacy policy explains how we collect, use, store, and protect personal data when you use our invoice finance services.
We are the data controller for the personal data we process. We are registered in Scotland (Company Number: [To be added]) with our registered office at [Address to be added].
2. Data We Collect
We collect and process the following categories of personal data:
Business Information
- Company name, registration number, and trading address
- Director and shareholder (UBO) details
- Financial statements and bank account information
- Aged debtor reports and receivables data
- Professional registration details (e.g., Law Society)
Identity Verification Data
- Full name, date of birth, and nationality of directors/UBOs
- Identity documents (passport, driving licence) and photographs
- Proof of address documents
- Biometric data (facial recognition for liveness checks)
Financial Data
- Bank transaction data (via Open Banking with your consent)
- Credit reference data from credit bureaus
- Payment history and facility usage
Technical Data
- IP address and browser information
- Device identifiers and usage data
- Cookies and similar technologies (see our Cookie Policy)
3. How We Use Your Data
We use your personal data for the following purposes and legal bases:
| Purpose | Legal Basis |
|---|---|
| Assessing your facility application | Contract (Art. 6(1)(b)) |
| Credit analysis and risk scoring | Contract (Art. 6(1)(b)) |
| Identity and AML verification | Legal obligation (Art. 6(1)(c)) |
| Ongoing facility monitoring | Contract (Art. 6(1)(b)) |
| Open Banking data access | Contract (Art. 6(1)(b)) |
| Fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Regulatory reporting | Legal obligation (Art. 6(1)(c)) |
4. AI and Automated Processing
We use artificial intelligence (AI) to help process your application and monitor your facility:
- Document extraction: AI extracts data from your aged debtor reports and financial documents
- Risk assessment support: AI assists in analysing financial patterns and generating risk indicators
- Adverse media screening: AI searches public sources for relevant news about your business
Important: All significant decisions affecting your facility (approvals, rejections, limit changes) are made by human reviewers. AI outputs are used to support, not replace, human decision-making.
You have the right to request human review of any automated assessment. Contact us at privacy@cairnstone.com to exercise this right.
5. Who We Share Your Data With
We share your personal data with the following categories of recipients:
Service Providers (Data Processors)
- Supabase: Database hosting (UK/EU data centres)
- Didit: Identity verification and AML screening
- T2A: Company credit checks
- Finexer: Open Banking data access
- Google (Gemini): AI document processing (zero data retention)
- Vercel: Website hosting
Regulatory Bodies
- HMRC (anti-money laundering supervision)
- National Crime Agency (suspicious activity reports)
- Information Commissioner's Office (data protection enquiries)
Professional Advisers
- Legal advisers (when necessary for legal proceedings)
- Auditors (for regulatory compliance)
6. International Data Transfers
Most of your data is processed within the UK and EU. Where we transfer data outside the UK (primarily to the US for AI processing), we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework certification
- Standard Contractual Clauses (SCCs)
- Zero data retention for AI processing (data is not stored after processing)
7. How Long We Keep Your Data
We retain your personal data for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| AML/KYC verification | 5 years post-relationship | MLR 2017 |
| Facility documentation | 6 years post-facility | Limitation Act |
| Bank transaction data | 6 years | Tax/audit |
| Declined applications | 12 months | Legitimate interest |
| Website analytics | 26 months | Analytics standard |
8. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data (subject to legal obligations)
- Restriction: Request limited processing of your data
- Portability: Receive your data in a machine-readable format
- Object: Object to processing based on legitimate interests
- Automated decisions: Request human review of automated decisions
To exercise any of these rights, please contact us at privacy@cairnstone.com. We will respond within one calendar month.
Note: Some rights are limited where we have a legal obligation to retain data (e.g., AML records) or during an active facility.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data:
- Encryption at rest and in transit (TLS 1.2+)
- Role-based access controls
- Multi-factor authentication for all accounts
- Regular security audits and penetration testing
- Secure data centres (SOC 2 / ISO 27001 certified)
10. Complaints
If you are unhappy with how we have handled your personal data, you can contact us at privacy@cairnstone.com.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Wycliffe House, Water Lane, Wilmslow, SK9 5AF
11. Contact Us
For privacy-related enquiries:
- Email: privacy@cairnstone.com
- Post: Cairnstone Capital Ltd, [Address to be added]
We do not have a Data Protection Officer as we are a small business that does not engage in large-scale processing of special category data. Our Privacy Lead handles all data protection matters.
12. Changes to This Policy
We may update this privacy policy from time to time. Significant changes will be notified via email or through our portal. The "last updated" date at the top of this page indicates when this policy was last revised.