Solvenza Limited

Our Introduction

Solvenza Limited (“Solvenza”, “we”, “us”, “our”) is a UK-based debt purchase and recovery company regulated by the Financial Conduct Authority (FCA).

In the course of our business, we buy and manage customer accounts and carry out our own recoveries activity. This means we act as a Data Controller for the Personal Data we hold and use.

We are committed to:

Complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
Meeting the FCA's expectations, including Principles for Businesses, CONC, and Consumer Duty
Treating customers fairly and protecting their privacy and information at all times
This policy sets out how we handle Personal Data within Solvenza.

Our Scope

This policy applies to:

All Personal Data processed by Solvenza Limited
All staff, contractors, temps and anyone acting on our behalf
All systems, processes and channels used in recoveries and account management
It covers customers, former customers, guarantors, third parties, and any other individuals whose Personal Data we process in connection with our activities.

Our Role - Data Controller

For portfolios we purchase and recover ourselves, Solvenza Limited is the Data Controller.

We:

Decide what Personal Data we collect and why
Decide how we process, store, share and retain that data
Are responsible for ensuring that all Processing complies with UK GDPR and other applicable laws Where we use third parties (for example, IT providers, print houses, tracing agencies, analytics tools), they will usually act as Data Processors and must process Personal Data only on our documented instructions.

Lawful Bases for Processing

We only process Personal Data where we have a lawful basis. Depending on the activity, this may include:

Legitimate interests - e.g. managing purchased accounts, recovering sums due, preventing fraud, managing risk, improving processes
Legal obligation - e.g. complying with FCA rules, anti-money laundering laws, statutory reporting, court orders
Contract - e.g. taking steps in connection with a credit agreement or settlement agreement
Consent - e.g. where we rely on explicit consent for certain special category data or specific communications (only where appropriate)
We document our lawful bases and ensure they are explained in customer-facing privacy information.

Types of Personal Data We Process

Depending on the account and circumstances, we may process:

Identification data - name, address, date of birth, contact details
Account and financial data - account numbers, balances, payments, repayment plans, bank details (where required)
Communication records - call recordings, emails, letters, SMS, portal messages
Credit and risk data - credit reference agency information, internal and external risk indicators
Vulnerability and support-related data - information customers voluntarily share about health, circumstances or other factors that may affect their ability to manage their account (handled with extra care)
We apply the principle of data minimisation - we only collect and retain what we genuinely need.

Confidentiality & Staff Responsibilities

Everyone working for or on behalf of Solvenza must:

Keep Personal Data confidential
Only access data needed to perform their role
Complete training on data protection, FCA requirements, vulnerability, and Consumer Duty
Report any suspected data breach immediately
All staff are bound by contractual and/or statutory confidentiality obligations.

Use of Third Parties (Sub-Processors)

Where we use third parties to help us deliver our services (for example, IT hosting, telephony, printing, mailing, tracing, analytics):

We carry out due diligence to assess their security and compliance

We have written contracts in place that require them to:

Process Personal Data only on our documented instructions
Keep Personal Data secure and confidential
Assist us with data subject rights, incident management and audits if needed
Solvenza remains responsible for the acts and omissions of its Data Processors.

International Transfers

As a default, Solvenza aims to keep Personal Data within the UK and/or EEA.

Where data must be transferred outside the UK and/or EEA (for example, due to a cloud or telecommunications provider), we will only do so where:

The destination is covered by a UK adequacy regulation or Appropriate safeguards are in place (such as Standard Contractual Clauses with UK addendum / IDTA or other approved mechanisms);
The level of protection is essentially equivalent to that required under UK GDPR. We review transfer arrangements in light of regulatory and case law developments.

Security of Personal Data

We implement appropriate technical and organisational measures to protect Personal Data, taking into account the sensitivity of the data and the risks of processing. This includes, where appropriate:

Access controls and role-based permissions
Encryption in transit and at rest
Secure backups and disaster recovery
Network and system security controls
Device and endpoint protection
Staff training and monitoring for misuse

Data Breaches & Incident Management

A Data Security Incident is any event that leads to (or risks) unauthorised access, loss, alteration, disclosure or destruction of Personal Data.

If Solvenza becomes aware of a Data Security Incident, we will:

Log and investigate immediately
Contain and remediate the issue as quickly as possible
Assess risk to individuals and their rights
Where required, notify the ICO and, if appropriate, affected individuals without undue delay
Document the incident, root causes, and learning for future prevention
All staff must report suspected incidents immediately via internal procedures.

Data Subject Rights

Under UK GDPR, individuals have rights in relation to their Personal Data, including:

Right to be informed
Right of access
Right to rectification
Right to erasure (where applicable)
Right to restrict processing
Right to object to certain processing
Right to data portability (where applicable)
Rights related to automated decision-making and profiling

Solvenza will:

Provide clear privacy information
Respond to rights requests without undue delay, and within statutory time limits
Verify identity where needed
Record and track requests and responses

Retention & Deletion

We retain Personal Data only for as long as:

It is needed to manage the account and recover sums due
We are required by law or regulation (e.g. limitation periods, FCA rules, audit)

At the end of the retention period, data will be:

Securely deleted, anonymised, or irreversibly destroyed; and
Confirmed as deleted where requested and appropriate
Backups and archives are also managed to ensure data is not kept longer than necessary.

Vulnerability & Sensitive Information

Some customers may share information about vulnerabilities, health, or personal circumstances that affect their ability to manage their account.

In such cases, we will:

Only record what is necessary to support the customer appropriately
Use sensitive, neutral wording
Rely on a lawful basis (usually legitimate interests and, where needed, explicit consent for special category data)
Restrict access to those who need to know
Review and update the information regularly, and delete when no longer needed
Handling of vulnerable customer information is aligned with our Vulnerable Customer Policy and Consumer Duty framework.

Audits, Monitoring & Governance