Recruitment Privacy Policy

Loan.co.uk (‘we’, ‘us’, ‘our’) respects your privacy and is committed to protecting your personal data. This notice explains how we collect, use, store, and share your information during the recruitment process, and outlines your rights under data protection law.

About us

Loan.co.uk Limited is a credit broker, registered in England and Wales, company number 05455171. Loan.co.uk Limited’s registered office is 46 Alexandra Street, Southend-on-Sea, Essex, UK, SS1 1BJ.

You can contact us by email at compliance@loan.co.uk

Our commitment to you

We process your personal data in accordance with the overarching principles and requirements set out in the UK General Data Protection Regulation and the Data Protection Act 2018 (‘Data Protection Law’). What this means is that we process your data in a way that is:

Lawful, fair and transparent;
Compatible with the purposes that we have told you about;
Adequate and necessary, we only use the data we need to use for the reason we told you;
Accurate and up to date;
Not excessive, we only keep your data for as long as we need it; and
Secure and protected.

Why we process your personal data

We need to process personal data for a number of reasons as part of our recruitment and onboarding processes.

Who is the Applicant Privacy Notice addressed to?

This privacy notice explains how we process your personal data if you are:

a job applicant, whether applying directly to us, via a job board or via a recruitment agency;
a successful applicant, prior to the confirmation of your appointment with us;
a referee or a recruitment agent.

Please refer to the Employee Privacy Notice once your appointment has been confirmed with us.

Ways we collect your personal data

There are a number of ways in which we may collect personal data about you, these include:

From you directly where you contact us in writing, by e-mail, when you meet with our team in person or by video call, by telephone, through our online portal, website or social media platform. You may contact us to provide a reference, enquire about a role, submit an application, schedule an interview, participate in recruitment exercises, provide pre-screening employment information or to express an interest to work with us;
From a recruitment agent we have engaged to match candidates to our vacancies, or through an online recruitment platform we used to advertise the role;
From your current and/ or former employers and/ or referees as part of our reference checks;
From providers of psychometric, skills, and aptitude tests as part of our recruitment exercise;
From providers of identity verification and compliance services as part of our onboarding background checks;
Via CCTV operating in any of our office sites or buildings;
From the devices you use when you access our website;
From publicly available information about you such as your LinkedIn profile or your current employer website profile.

What personal data do we process for Applicants, Recruiters and Referees?

Data Type	Information Collected
Enquiry Data	Personal data you provide when you make an enquiry to us regarding a role.
Applicant’s Contact Personal Data	Full Name Postal address Email address (personal and/or business) Phone Numbers Occupation
Recruitment Data (including special category data)	CVs and covering letters. Completed application forms which may include contact details, career history, qualifications and skills, hobbies and interests. Information communicated in job interviews or through our recruitment processes.
Equality Monitoring Data (including special category data)	We may collect and process gender, gender identity, ethnic origin, disability, religion and sexual orientation information at the application stage to ensure meaningful equal opportunity monitoring and reporting.
Health and Medical Data (also special category data)	We may collect information about your health e.g. your disability status in order to provide appropriate adjustments during the recruitment process.
Financial Data	In the course of the recruitment process, we may collect information relating to your current/previous salary and salary expectations.
Criminal Convictions Data	At the application stage, you may be asked to disclose the following: Convictions (as well as spent convictions, if applying for an Advocate and Solicitor’s role). In accordance with the Rehabilitation of Offenders Act 1974, you will not be asked to disclose any spent convictions, unless the job you are applying for falls into the following category: Advocates and Solicitors. In accordance with the Exclusions and Exceptions (Scotland) Order 2003, these jobs are exempted from the right not to declare spent convictions. Convictions/offences in the past 5 years in relation to driving records. This information is required for insurance purposes and only if relevant for the post for which you are applying.
Right to Work in the UK	British citizen status, UK work permit status or right to live in the UK status. Proof of status will be required for successful candidates. This information is legally needed to prove you have a right to work in the UK.
Psychometric Data	We use recruitment aptitude tests, involving profiling, as part of our selection. No automated decision-making takes place as we do not solely rely on the output of these tests to make a recruitment decision.
CCTV Data	Our office locations may operate CCTV and where they do this is clearly signposted. If you visit our offices your images may be captured on CCTV for security purposes.
Personal Data within correspondence	Copies of letters, e-mails received or sent by us, and information you have provided to us in letters, e-mails, texts and audio recordings taken in relation to the recruitment process and employment. We may also keep notes and records of matters we discuss.
Website Data	Includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. Our external website uses cookies and we may collect information about how you use our website.
Video telecommunication and collaborative platform data	When invited and participating to a virtual meeting, the following types of information may be recorded: your registration and participant information such as name, email address and other contact/profile details. direct interactions generated in meetings such as audio, video, chat messaging content, comments. AI generated transcriptions and summaries of conversations.
Recruiters and referees’ personal data	Name Occupation Company/ organisation Business or personal email address Business or personal phone number Business or personal postal address Your relationship to the applicant Any information provided to us in emails, letters, calls in relation to the recruitment process of an applicant. We only process referees’ and recruiters’ data in connection with a candidate’s application, and will not use it for any unrelated purposes.

What additional personal data do we process for successful candidates?

Data Type	Information Collected
Applicant’s Contact Personal Data	Full Name Postal address Email address (personal and/or business) Phone Numbers Occupation Your relationship to other persons Your emergency contacts
Identity Verification Data	Date of birth Gender Photograph/Video Photographic ID document Address history Credit data Other identity evidence as required to meet our regulatory obligations.
Health and Medical Data (also special Category Data)	In the course of your onboarding, we may process additional information about your health in order to provide equal access and workplace adjustments and to ensure meaningful equal opportunity monitoring and reporting.
Biometric Data (also special category data)	Facial similarity checks are run when completing your ID verification with our identity verification and compliance services provider. The biometric technology compares an image of your face to the image on your ID document.
Other screening information held in public records	Information held in public records, such as registers of insolvency, death, public offices held and any adverse information in the public domain for specific role types, or type of work undertaken.
Financial and Credit Data	Information about your bank details to facilitate remuneration UK National Insurance number for taxation reasons Credit reports (hard credit checks) for specific role types
Criminal Convictions and offences Data	As the nature of our work requires a high degree of trust and integrity we undertake a disclosure of your criminal records for certain role types.
References	Information on your previous employment and reference details for this. Information provided by the referees regarding your employment and/ or character. For certain roles this will include all engagements within the previous 6 years. References are given in confidence, and not disclosable to the job applicant in most cases.
Professional regulation data	Any relevant professional and academic qualifications, professional registration and disciplinary checks.
Enquiry Data	Personal data you provide when you make an enquiry to us regarding a role via our website or via social media.
Recruitment Data (including sensitive data)	Any information communicated through our recruitment processes. Information about any other adjustments required and scheme enrolments, such as benefits and flexible working preference.

If you fail to provide personal data

Where we need to collect your personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may not be able to perform our obligations but we will notify you if this is the case at the time.

Why we use your personal data

We will use your personal data where it is necessary for us to:

comply with our legal obligations; or
enter into and perform a contract with you; or
fulfil our legitimate interests.

We may occasionally ask for your consent to process your personal data, particularly in circumstances where processing is not based on a legal obligation, contract, or our legitimate interests. Where we do rely on consent, we ensure it is freely given, specific, informed, and unambiguous.

You have the right to withdraw your consent at any time. To do so, simply email us at compliance@loan.co.uk stating which processing activity or type of data you no longer wish to be processed on the basis of consent.

Once we receive your withdrawal request, we will action it within five working days and confirm once it has been completed.

Please note: Withdrawal of consent does not affect the lawfulness of any processing carried out before your consent was withdrawn. However, where consent is the only lawful basis for a specific processing activity, we will cease that processing upon withdrawal unless we can rely on another legal basis or are required to retain the data for legal or regulatory reasons.

Data Protection Impact Assessments (DPIAs)

Where our processing activities are likely to result in a high risk to individuals’ rights and freedoms, for example, the use of biometric data for identity verification or AI tools in recruitment, we carry out Data Protection Impact Assessments (DPIAs) in line with our obligations under UK data protection law.

Summaries of these assessments can be made available to the Information Commissioner’s Office (ICO) or to data subjects upon request, where appropriate.

Purposes of Processing

Purpose	Lawful Basis of Processing (with GDPR Article)
To communicate with candidates, recruitment agencies and websites advertising our vacancies, regarding applications, interviews, feedback and role offer.	Performance of an Employment Contract (Article 6(1)(b)) Legitimate Interests – to contact you to respond to communications from you. (Article 6(1)(f))
To populate our internal directory and systems with a picture of the successful candidate.	Consent (Article 6(1)(a))
To assess your skills, qualifications, employment history and suitability for the role.	Consent (Article 6(1)(a)) Legitimate Interests – to support the assessment of your suitability for the role. (Article 6(1)(f))
To make decisions on your suitability for shortlisting for interview, interview and offer of the role.	Consent (Article 6(1)(a)) Performance of an Employment Contract. (Article 6(1)(b))
To provide equal opportunity monitoring and reporting	Explicit consent (Article 9(2)(a)) You have the right to withdraw your consent at any time.
To provide equal access and workplace adjustments during the recruitment process	Employment – processing that is necessary for carrying out obligations or exercising rights, imposed or conferred by law in connection with employment. (Article 6(1)(c), Article 9(2)(b))
Financial management and planning, including payroll	Performance of an Employment Contract. (Article 6(1)(b)) Legal obligation (Article 6(1)(c))
To comply with pre-employment vetting checks, which may vary depending on role type, including reference checks, identity verification, prevention of financial crime, probity checks (criminal convictions, credit reports), right to work.	Performance of an Employment Contract (Article 6(1)(b)) Legal Obligation to ensuring our business is carried out in compliance with the law or with our regulators’ guidance. (Article 6(1)(c)) When processing special category data: • For reasons of substantial public interest – processing that is necessary for preventing fraud and suspicion of terrorist financing or money laundering. (Article 9(2)(g)) • Employment – processing that is necessary for carrying out obligations or exercising rights, imposed or conferred by law in connection with employment. (Article 9(2)(b)) Criminal convictions and offences data: We process criminal convictions and offences data in accordance with Article 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018. The specific lawful bases for processing are: · Article 6(1)(b) – performance of an employment contract · Article 6(1)(c) – compliance with a legal obligation In line with Schedule 1, Part 1, Paragraph 1 (employment law), and Part 2, Paragraph 12 (substantial public interest – preventing fraud), we may process criminal convictions data where necessary for: · verifying suitability for certain regulated roles, · complying with regulatory or insurance requirements, or · assessing trust and integrity in high-risk positions.
Record-keeping	Legal obligation – we are required to retain certain information about you to comply with legal requirements. (Article 6(1)(c)) Legitimate Interests – to establish, exercise and/or defend any legal claims that may be brought by or against us in connection with your recruitment (i.e. discrimination claims). (Article 6(1)(f))
Cookies – we use cookies that are essential for the functionality of our website and we also use non-essential cookie which help us to understand how our website is used by visitors. Both essential and non-essential cookies use certain personal data. More information on our use of Cookies can be found in our Cookies policy.	Legitimate Interests – functional cookies which are necessary for the operation of our website. (Article 6(1)(f)) Consent – cookies which track how you interact with our website. (Article 6(1)(a))
IT and Security – we may use personal data to administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and to carry out system upgrade or system replacement.	Performance of an Employment Contract (Article 6(1)(b)) Legitimate Interests – to ensure our website is secure and functioning. (Article 6(1)(f)) Legitimate Interests – to ensure we use the most appropriate systems. (Article 6(1)(f))
To support shortlisting with AI-assisted analysis	Legitimate Interests (Article 6(1)(f))

Where we store your personal data and information security

We take appropriate technical and organisational measures to secure your personal information and protect it against unauthorised or unlawful processing as well as against its accidental loss or destruction or damage. Some of these measures include:

Using secure cloud-based servers to store your personal data, based in the UK and the EU.
Verifying the identity of individuals who access your personal data.
Regular review of our Information Security Management System.
Utilising a number of anti-virus and anti-malware systems at the gateway, on email and on endpoints to protect against cyber threats and encryption technologies to protect personal data where appropriate.
Deploy data loss prevention as part of our software to help detect and mitigate the risk of data loss.
Restricting access only to those employees who need to know the information to deliver the service to you.
Providing regular data protection and information security training to all our employees.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted.

Once we have received your personal data, we will use strict procedures and security features as outlined above to try to prevent unauthorised access to your personal data. We cannot be held responsible for the security of your personal data collected by websites that our site may link to. Such third parties shall have their own privacy notices and you should read these carefully.

Using Artificial Intelligence during Recruitment

As part of our recruitment process, we may use artificial intelligence (AI) tools to support decision-making. These tools help us review applications more efficiently and fairly by identifying patterns in qualifications, skills, and experience based on predefined criteria.

AI is used as a support tool to assist our hiring teams—it does not make final hiring decisions. All decisions are ultimately reviewed and made by experienced members of our recruitment team.

We may use artificial intelligence (AI) tools to record, transcribe, and generate summaries of our meetings with candidates. These tools help us accurately capture conversations, reduce manual note-taking, and improve the efficiency and fairness of our recruitment process.

We are committed to using AI responsibly, transparently, and in line with data protection laws. Any AI technologies we use are thoroughly tested for accuracy and bias and are regularly reviewed to ensure fairness and compliance.

You may request human review of any decision supported by AI at any stage.

If you have any questions or concerns about how AI is used in our recruitment process, please contact compliance@loan.co.uk

Sharing personal data

If we share personal information with external third parties, we shall keep this to a minimum and take reasonable steps to ensure that recipients shall only process the disclosed personal data for those purposes and in accordance with our instructions.

In the course of the recruitment and onboarding processes, we may be required to share your personal data with third party service providers.

We will not transfer your personal data to anyone else without your permission, except:

Where we are obliged by law or regulatory obligations.
Where we share your information with third party service providers.
Where we share your information with third parties who provide essential services.
Where some or all of our assets are purchased by a third party.

We will never sell your information or disclose it for direct marketing purposes.

We require all third-party service providers and data processors to respect the security and confidentiality of your personal data and to process it only in accordance with our written instructions.

We have GDPR-compliant Data Processing Agreements (DPAs) in place with all third-party processors. These agreements ensure that processors:

act only on our documented instructions,
implement appropriate technical and organisational measures to ensure data security,
assist us in fulfilling data subject rights and breach notification obligations, and
do not engage sub-processors without our prior written approval.

Third parties are not permitted to use your personal data for their own purposes, and they must notify us immediately in the event of a personal data breach.

The types of organisations/groups that we may share personal data with are set out below:

suppliers and service providers used by us to conduct the recruitment exercise, such as call, video telecommunication and messaging platforms; cloud-based servers and systems for data storage, secure file sharing; employment agencies.
suppliers and service providers used by us to manage the relationship with applicants, recruiters and referees, such as; cloud-based servers and systems (i.e. for network security monitoring, HR recruitment management, such as applicant tracking, contextual recruitment, employment vetting management such as digital identity and criminal records verification providers, credit reference agencies).
financial organisations.
government departments.
the courts.
other professional advisers and consultants such as recruitment/consulting agencies, external law firms.
regulatory authorities.

A full list is available on request.

International transfers

We may transfer your personal information outside the UK, and when we do, we ensure appropriate safeguards are in place to protect your personal data and maintain an adequate level of protection.

Where personal data is transferred outside the UK, for example, when using Microsoft Teams, we implement suitable safeguards. These include the use of the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or reliance on adequacy regulations where applicable. For further details, see the global Teams Data Processing Addendum here.

We also carry out Transfer Risk Assessments (TRAs) where required and can make summaries available to the Information Commissioner’s Office (ICO) or data subjects upon request.

How long we will keep your personal data for

We keep the personal data that we obtain about you during the recruitment process for no longer than is necessary for the purposes for which it is processed. How long we keep your data will depend on whether your application is successful and you become employed by us, the nature of the data concerned, and the purposes for which it is processed.

We will keep recruitment data (including interview notes) for no longer than is reasonable, taking into account the limitation periods for potential claims, after which they will be destroyed. We typically retain candidate data for 6–12 months after the recruitment process concludes unless otherwise required by law or you request its earlier deletion. If there is a clear business reason for keeping recruitment records for longer than the recruitment period, we may do so with your consent.

Data of successful applicants will be retained in line with our Employee Privacy Notice.

Changes in personal information

It is important that the personal data we hold about you is accurate and up-to-date. Please keep us informed if your personal information changes while we hold your details.

Questions and concerns

If you have any questions or concerns on how we collect, handle, store or secure your personal data, please contact: compliance@loan.co.uk

You have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think we have infringed your rights. The ICO’s contact details are as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

www.ico.org.uk

Your rights

Individual Right	What it means
Right to be informed	This Privacy Notice provides you with details as to how we collect and use your personal data.
Right to access	You have a right to request access to the personal data we hold about you by making a “subject access request”. You will be provided with a copy of all personal information that we hold about you. There will be no charge for providing you with this information.
Right of rectification	You have a right to request that we correct or complete any inaccurate or incomplete personal data we hold about you.
Right of erasure	You have the right to ask us to delete your personal data where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for retaining it. If we are required to keep your personal data to comply with our legal or regulatory obligations or legitimate interests in legal proceedings or claims, then we may have to decline your request.
Right to restrict processing	You have the right to request that we restrict the processing of your personal data that we hold about you for specific reasons. If we are required to keep your personal data to comply with our legitimate interests in legal proceedings or claims, or the protection of the rights of another person, or for an important public interest, then we may have to decline your request.
Right to data portability	You have a right to obtain and reuse the personal data that we hold about you for your own purposes in certain circumstances.
Right to object	You have a right to object to us processing your personal data. If we are required to keep your personal data to comply with our legitimate interests in legal proceedings or claims, or can demonstrate our compelling legitimate interests or our appropriate safeguards in place for the specific purpose of scientific, historic research or statistics necessary for the performance of a task carried out in the public interest, then we may have to decline your request.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time Limit to respond

We try to respond to all legitimate requests within one month from the date we receive it. Occasionally, we may extend the time for response by up to two months if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Data Breach Notification

We have robust internal procedures in place to detect, manage, and report personal data breaches in accordance with our obligations under UK data protection law.

Where required, we will report qualifying personal data breaches to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

Changes to our privacy notice

We may be required to update this Privacy Notice from time to time. The up-to-date version will always be on our website, and we will communicate material updates to our clients from time to time. We will not process your personal data for purposes other than those set out in this document or which may be prejudicial to your interests without letting you know and giving you the opportunity to review and object to any such amended processing.

Contact us

If you have any questions regarding this Privacy Notice, please contact: compliance@loan.co.uk

Version 2.0 – 19 June 2025