Finpoint Limited is an organisation built on a culture of data privacy. We aim to collect information on a “need to know” basis and operate with our customers best interest at heart. The prevailing test for all our actions as an organisation and the actions our individuals are engaged in must meet a simple test: “If this was data about my business, would I be happy for the data to be used in this way?”
Yes, this policy applies to all businesses and consumers that engage with Finpoint, because new General Data Protection Regulation, or GDPR, was adopted by the European Council in April 2016 and comes into force across all EU member states on the same day: 25 May 2018.
The ambition for GDPR is to clarify obligations, make them more consistent across Europe and thereby improve trust among businesses and consumers in the way their data is handled. Finpoint welcomes standards such as GDPR, since it allows us to operate our business on the same high standards in many countries.
Since GDPR comes into force before the date Britain is scheduled to leave the EU, the UK government has confirmed the regulation will apply.
- Who we are
- Why we need your data and what we do with it
- How we look after your data, including how long we hold it
- What your rights are
- Definition of the terminology we use
Who we are
Finpoint Limited (“Finpoint”) is a company registered in England and Wales with Companies House number 08846630. We operate an online platform and various websites that collect, process and use data about businesses and individuals. As such, when we refer to “Finpoint”, we mean the Finpoint entity that acts as the controller or processor of your information, as explained in more detail in the “How we look after your data, including how long we hold it” section below.
This Data Protection policy applies to Finpoint’s platform (the “Platform”), telephone support, our associated mobile and desktop tools (collectively, the “Services”), Finpoint.co.uk and other websites (collectively, the “Websites”) and other interactions (e.g. customer service inquiries, events, etc.) you may have with Finpoint.
If you do not agree with the terms, please do not access or use the Platform, Services, Websites or any other aspect of Finpoint’s business.
Where our technology is utilised by partner organisations, our Platform, its linked website(s) and our communications may carry the branding of our partner (for example “FSB Funding Platform”) and refer to the partnership with a reference such as “FSB Funding Platform is a trading style of Finpoint Limited” or “in association with Finpoint”.
Please see below a list of our professional accreditations and memberships:
- Authorised and regulated by the Financial Conduct Authority (FCA) under reference number 727163
- Information Commissioner’s Office (ICO): reference number ZA111677
- Member of the Federation of Small Businesses (FSB)
- Member of the Confederation of British Industry (CBI)
- Member of Innovate FinanceTo access more information about our partnerships, please visit www.finpoint.co.uk/partners
This Data Protection Policy does not apply to any third party products, services or businesses, irrespective of whether such third party applications or businesses are integrated with the Services through the Finpoint platform (“Third Party Services”) or not.
Where the Data Room is used to collaborate with Authorised Users from several organisations (e.g., your employer or another entity or person), Finpoint expects the Authorised User that accesses and uses our Services first to control any connections to the Data Room. Furthermore, Finpoint expects Authorised Users to be in possession of the appropriate permissions to act for the organisation they have registered when joining the Finpoint platform and have permission to invite, engage with and un-invite other organisations thereafter.
If you have:
- any questions about specific Data Room settings and privacy practices, please contact the Authorised User whose Data Room you use in the first instance
- an account, you may contact Finpoint for support on www.finpoint.co.uk/contact
Why we need your data and what we do with it
Finpoint collects, processes and uses data about businesses and individuals in a variety of ways with the primary aim to assist organisations in areas such as fund raising, insurance and other business services.
Any information that you submit to Finpoint will not be shared without your consent. Back in 2014, Finpoint launched in the UK with the premise of collecting data, anonymising it and only then letting third parties express interest to connect with the Authorised User who provided the data. The idea then, as it is now, is to give business owners and their advisors a way to better control who has access to the data about a business and who should not get access to that data.
To see how our platform works, we have put together a “How it works” video: www.fsbfundingplatform.co.uk/how-it-works/
If you suspect any third party is deviating from or violating the Finpoint data protection policy, please let us know immediately so we can investigate any such reports.
Finpoint may collect and receive Customer Data and other information and data (“Other Information”) such as:
- Customer Data. Customers or individuals granted access to a Data Room by an Authorised User routinely submit Customer Data to Finpoint when using the Services. For registration on the Platform and in order to grant Authorised Users access to the Platform, Finpoint needs certain personal data. This personal data includes, among other things, the user’s e-mail address, name, telephone number (“Personal Data”), and, under certain circumstances, and with his or her consent, information on his or her background, qualifications and experience, which may be considered “Sensitive Personal Data”.
- Other Information. Finpoint also collects, generates and/or receives Other Information:
- Data Room and Account Information. To create or update a Data Room or Account, you or your Customer (e.g., your employer) supply Finpoint with an email address, phone number, password, domain and/or similar account details. For details on how our platform works, please visit https://finpoint.co.uk/how-it-works/
- Where Authorised Users access and use a paid version of the Services they provide Finpoint (or its payment processors) with billing details such as credit card information, banking information and/or a billing address
- Usage Information.
- Services Metadata. When an Authorised User interacts with the Services, metadata is generated that provides additional context about the way Authorised User work. For example, Finpoint logs the Accounts, Data Rooms, channels, people, features, content and links you interact with, the types of files shared and what Third Party Services are used (if any).
- Log data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.
- Device information. Finpoint collects information about devices accessing the Services, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Information often depends on the type of device used and its settings.
- Location information. We receive information from you, your Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. Finpoint may also collect location information from devices in accordance with the consent process provided by your device.
- Third Party Services. Customer can choose to permit or restrict Third Party Services for their Data Room. Typically, Third Party Services are software that integrate with our Services, and Customer can permit its Authorised Users to enable and disable these integrations for their Data Room. Once enabled, the provider of a Third Party Service may share certain information with Finpoint. For example, if a cloud accounting application is enabled to permit files to be imported to a Data Room, we may receive user name and email address of Authorised Users, along with additional information that the application has elected to make available to Finpoint to facilitate the integration. Authorised Users should check the privacy settings and notices in these Third Party Services to understand what data may be disclosed to Finpoint. When a Third Party Service is enabled, Finpoint is authorized to connect and access Other Information made available to Finpoint in accordance with our agreement with the Third Party Provider. We do not, however, receive or store passwords for any of these Third Party Services when connecting them to the Services.
- Contact Information. In accordance with the consent process provided by your device, any contact information that an Authorised User chooses to import (such as email addresses from a device) is collected when using the Services.
- Third Party Data. Finpoint may receive data about organisations, industries, Website visitors, marketing campaigns and other matters related to our business from parent corporation(s), affiliates and subsidiaries, our partners or others that we use to make our own information better or more useful. This data may be combined with Other Information we collect and might include aggregate level data, such as which IP addresses correspond to post codes or countries. Or it might be more specific: for example, how well an online marketing or email campaign performed.
- Additional Information provided to Finpoint. We receive Other Information when submitted to our Websites or if you participate in a focus group, contest, activity or event, apply for a job, request support, interact with our social media accounts or otherwise communicate with Finpoint.
Generally, no one is under a statutory or contractual obligation to provide any Customer Data or Other Information (collectively, “Information”). However, certain Information is collected automatically and, if some Information, such as Data Room setup details, is not provided, we may be unable to provide the Services.
Customer Data will be used by Finpoint in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and as required by applicable law. Finpoint is a processor of Customer Data and Customer is the controller. Customer may, for example, use the Services to grant and remove access to a Data Room, assign roles and configure settings, access, modify, export, share and remove Customer Data and otherwise apply its policies to the Services.
Finpoint uses Other Information in furtherance of our legitimate interests in operating our Services, Websites and business.
More specifically, Finpoint uses Other Information:
- To provide, update, maintain and protect our Services, Websites and business. This includes use of Other Information to support delivery of the Services under a Customer Agreement, prevent or address service errors, security or technical issues, analyze and monitor usage, trends and other activities or at an Authorised User’s request.
- As required by applicable law, legal process or regulation.
- To communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Other Information to respond.
- To develop and provide search, learning and productivity tools and additional features. Finpoint tries to make the Services as useful as possible for specific Data Rooms and Authorised Users. For example, we may improve search functionality by using Other Information to help determine and rank the relevance of content, channels or expertise to an Authorised User, make Services suggestions based on historical use and predictive models, identify organisational trends and insights, to customize a Services experience or create new productivity features and products.
- To send emails and other communications. We may send you service, technical and other administrative emails, messages and other types of communications. We may also contact you to inform you about changes in our Services, our Services offerings, and important Services-related notices, such as security and fraud notices. These communications are considered part of the Services and you may not opt out of them. In addition, we sometimes send emails about new product features, promotional communications or other news about Finpoint. These are marketing messages so you can control whether you receive them.
- For billing, account management and other administrative matters. Finpoint may need to contact you for invoicing, account management and similar reasons and we use account data to administer accounts and keep track of billing and payments.
How we look after your data, including how long we hold it
This section describes how Finpoint may share and disclose Information. Customers determine their own policies and practices for the sharing and disclosure of Information, and Finpoint only controls how they or any other third parties choose to share or disclose Information in so far as to ensure compliance with Finpoint’s own obligations in respect of applicable laws, statutory and/or regulatory requirements.
- Displaying the Services. When an Authorised User submits Other Information, it may be displayed to other Authorised Users in the same or connected Data Room. For example, an Authorised User’s email address may be displayed with their Data Room profile. Please contact us for more information on Services functionality.
- Collaborating with Others. The Services provide different ways for Authorised Users working in independent Data Rooms to collaborate, such as shared projects. Other Information, such as an Authorised User’s profile Information, may be shared, subject to the policies and practices of the other Data Room(s).
- Customer Access. Owners, administrators, Authorised Users and other Customer representatives and personnel may be able to access, modify or restrict access to Other Information. This may include, for example, your employer getting access to logs of Data Room activity, or accessing or modifying your profile details. For details on how our platform works, please visit https://finpoint.co.uk/how-it-works/
- Third Party Service Providers and Partners. We may engage third party companies or individuals as service providers or business partners to process Other Information and support our business. These third parties may, for example, provide virtual computing and storage services. Additional information about the subprocessors we use to support delivery of our Services is set forth at Finpoint Subprocessors.
- Third Party Services. Customer may enable or permit Authorised Users to enable Third Party Services. When enabled, Finpoint may share Other Information with Third Party Services. Third Party Services are not owned or controlled by Finpoint and third parties that have been granted access to Other Information may have their own policies and practices for its collection and use. Please check the privacy settings and notices in these Third Party Services or contact the provider for any questions.
- Corporate Affiliates. Finpoint may share Other Information with its corporate affiliates, parents and/or subsidiaries.
- During a Change to Finpoint’s Business. If Finpoint engages in a merger, acquisition, bankruptcy, dissolution, reorganisation, sale of some or all of Finpoint’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), some or all Other Information may be shared or transferred, subject to standard confidentiality arrangements.
- Aggregated or De-identified Data. We may disclose or use aggregated or de-identified Other Information for any purpose. For example, we may share aggregated or de-identified Other Information with prospects or partners for business or research purposes, such as telling a prospective Finpoint customer the average amount of funding requested within a typical Data Room.
- To Comply with Laws. If we receive a request for information, we may disclose Other Information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process.
- Requests for Customer Data by Individuals. Third parties seeking access to Customer Data should contact the Authorised User regarding such requests. The Authorised User controls the Data Room and generally gets to decide what to do with all Customer Data.
- Finpoint requires a search warrant issued by a court of competent jurisdiction to disclose Customer Data. Requests should be prepared and served in accordance with applicable law. All requests should be narrow and focused on the specific Customer Data sought, such as:
- the requesting party,
- the relevant criminal or civil matter, and
- a description of the specific Customer Data being requested, including the relevant Customer’s name and relevant Authorised User’s name (if applicable), any links, and type of data sought.
- To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of Finpoint or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
- With Consent. Finpoint may share Other Information with third parties when we have consent to do so.
Finpoint takes security of data very seriously. Finpoint works hard to protect Other Information you provide from loss, misuse, and unauthorised access or disclosure. These steps take into account the sensitivity of the Other Information we collect, process and store, and the current state of technology. Finpoint follows industry best practice for the provision of its Platform and Services and Finpoint reserves the right to transfer your Personal Data to countries other than the one in which you live or your business is located in. Finpoint selects its Subprocessors based on internationally recognized security certifications such as ISO 27001 (information security management system) and ISO 27018 (for protecting personal data in the cloud). Given the nature of communications and information processing technology, Finpoint cannot guarantee that Information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others.
To the extent prohibited by applicable law, Finpoint does not allow use of our Services and Websites by anyone younger than 16 years old. If you learn that anyone younger than 16 has unlawfully provided us with personal data, please contact us and we will takes steps to delete such information.
What your rights are
Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to request access to Information, as well as to seek to update, delete or correct this Information. You can usually do this using the settings and tools provided in your Services account. If you cannot use the settings and tools, contact the Authorised User for additional access and assistance or contact Finpoint for support.
To the extent that Finpoint’s processing of your Personal Data is subject to the General Data Protection Regulation, Finpoint relies on its legitimate interests, described above, to process your data. Finpoint may also process Other Information that constitutes your Personal Data for direct marketing purposes and you have a right to object to Finpoint’s use of your Personal Data for this purpose at any time.
Subject to applicable law, you also have the right to
- restrict Finpoint’s use of Other Information that constitutes your Personal Data and
- lodge a complaint with your local data protection authority or the Information Commissioner’s Officer, which is Finpoint’s lead supervisory authority. If you are a resident of the European Economic Area and believe we maintain your Personal Data within the scope of the General Data Protection Regulation (GDPR), you may direct questions or complaints to our lead supervisory authority.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation which is available on https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ .
If you would like to exercise any of those rights, please:
- email, call or write to our Data Protection Officer
- let us have enough information to identify you,
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- let us know the information to which your request relates, including any account or reference numbers, if you have them
Please also feel free to contact Finpoint if you have any questions about this Data Protection Policy or Finpoint’s practices, or if you are seeking to exercise any of your statutory rights. You may contact us at email@example.com or you can communicate with our Data Protection Officer. Please visit www.finpoint.co.uk/contact and select your preferred contact method to ask to be put in touch with the Finpoint Data Protection Officer.
Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of information. In general, Customer is the controller of Customer Data. In general, Finpoint is the processor of Customer Data and the controller of Other Information. Different Finpoint entities may provide the Services in different parts of the world.
At present, Finpoint Limited, a company registered in England and Wales with Companies House number 08846630, is the sole controller of Other Information and a processor of Customer Data relating to Authorised Users who use Data Rooms established for Customers.
Definition of the terminology we use
“Finpoint” – Finpoint Limited, a company registered in England and Wales with Companies House number 08846630.
“Account” – An account consists of details such as email address, phone number, password, domain and/or similar details. Accounts are used by Finpoint to manage Authorised Users and their access to Finpoint Services and/or Website(s).
“Authorised User” – The individual that – on behalf of the legal entity they represent on the Platform – accesses and uses our Services to control their instance of such Services (their “Data Room”) and any associated Customer Data.
“Customer Data” – Any messages, files or other content shared through Finpoint Services and/or Accounts
“Data Room” – The way Authorised Users access and use our Services and control their instance of such Services (e.g. to collaborate with other Authorised Users), along with any associated Customer Data.
“Other Information” – Please see a detailed description of what we mean in the section titled “Why we need your data and what we do with it”.
“Personal Data” – Personal data means data relating to a natural person, registered on its own or as part of a company, financial institution or service provider for use in connection with a Data Room or other legitimate Finpoint business activities. Under certain circumstances, this can be the personal data of the respective authorised representative(s) of such companies, financial institutions or service providers.
“Platform” – the transactional online platform that gives Authorised Users access to a Data Room and that allows Authorised Users to connect with each other.
“Sensitive Personal Data” – Personal data relating to a natural person, such as information on his or her background, qualifications and experience.
“Services” – Finpoint’s platform, telephone support, our associated mobile and desktop tools we offer to Authorised Users.
“Third Party Data” – Please see a detailed description of what we mean in paragraph 7 of the section titled “Why we need your data and what we do with it”.
“Third Party Services” – any service or business which we may refer Authorised Users to, with their consent, irrespective of whether the service is integrated into the Finpoint platform or not.
“Website(s)” – Finpoint.co.uk and such other websites where Finpoint is the operator.