Privacy Policy
How we collect, use and protect your personal data — the third parties we share it with, your rights, and how long we keep it.
Last updated: 17 June 2026 · v1.0
1. Who we are
Tailwind Finance Ltd (“Tailwind”, “we”, “us”, “our”) is a UK intermediary and broking service providing business funding solutions to SMEs. We are the data controller for the personal data described in this notice.
- Registered company: Tailwind Finance Ltd, registered in England and Wales, Companies House no. 17257498.
- Contact: privacy@tailwind-finance.co.uk.
- ICO registration: ZC169335.
We are a credit broker, not a lender, and we are not currently authorised by the Financial Conduct Authority.
You can reach the person responsible for data protection at privacy@tailwind-finance.co.uk. We are not required to appoint a statutory Data Protection Officer, but we treat data protection as a board-level responsibility.
2. Whose data this notice covers
This notice covers the people we deal with when arranging business funding — mainly the owners, directors, partners and authorised contacts of the businesses that apply, and, where relevant, beneficial owners and anyone giving a personal guarantee.
If you give us personal data about other people (for example a fellow director or a guarantor), you confirm you have their authority to do so and that you have made this notice available to them.
3. The personal data we collect
We collect only the data a funding application needs, and we tell you why.
Information you give us— your name, business email and phone; your company name and number; the funding amount, purpose and product you’re interested in; documents you upload (such as bank statements, accounts, ID and guarantees); and your account credentials.
Information we collect automatically — limited technical and session data needed to run the service securely (see our Cookie Policy), and, for fraud and abuse prevention, your IP address, device and browser information, and how you reached us.
Information from third parties — company and director information from Companies House; identity and sanctions screening results from our screening provider; your bank transactions (only if you choose to connect your bank — see the Open Banking section below); accounting figures (only if you connect your accounting software); and, where relevant, credit and fraud-prevention information from credit reference and fraud-prevention agencies.
We do not ask for or use special-category data (such as health information). Your bank transaction data and uploaded documents are sensitive, and we protect them accordingly (see how we protect your data, below).
We may use anonymised, aggregated information — which cannot identify you — to understand and improve our service. This is not personal data in law.
If you don’t provide certain data:some of what we ask for is needed by law or to provide the service. If you don’t provide it, we may not be able to progress or continue your application, and we’ll tell you if that’s the case.
4. How and why we use your data — and our lawful basis
| What we do | Why | Lawful basis (UK GDPR Art 6) |
|---|---|---|
| Create and secure your account | To give you access to the portal | Contract; legitimate interests (security) |
| Pre-qualify your enquiry | To show you indicative outcomes | Consent; legitimate interests (fraud prevention) |
| Verify your company and directors (KYB) | Due diligence; fraud and financial-crime checks | Legitimate interests; legal obligation where it applies |
| Carry out credit and fraud-prevention checks | To assess applications and prevent financial crime | Legitimate interests; legal obligation; consent (credit search) |
| Analyse your bank transactions | To assess affordability and match lenders | Consent (you connect your bank) |
| Read your accounting figures | To strengthen your application | Consent (you connect your software) |
| Place your application with lenders | To get you offers — the service you asked for | Contract |
| Collect documents and e-signatures | To complete and evidence the deal | Contract; legal obligation (record-keeping) |
| Send you service messages | To keep you informed | Contract |
| Send marketing (only if you opt in) | To tell you about relevant products | Consent |
| Keep audit and compliance records | Accountability | Legal obligation; legitimate interests |
Where we rely on consent, you can withdraw it at any time (see your rights, below). Where we rely on legitimate interests, we have balanced them against your rights and you can object (see your rights, below).
5. Automated decisions and profiling
We use automated processing to give you an indicative pre-qualification result and to match you to suitable lenders — for example, analysing your company information and cashflow to assess affordability and lender fit (this is a form of profiling).
These automated results are indicative only. They do not, by themselves, decide whether you can get finance: a person reviews applications before they progress, and the lender makes the final credit decision.
You have the right to ask for human review of, to express your view on, or to contest, any decision based solely on automated processing that has a significant effect on you. To do so, contact privacy@tailwind-finance.co.uk.
6. Open Banking (connecting your bank)
If you choose to connect your bank, we use an FCA-authorised Open Banking provider (Account Information Service Provider) to securely access your account and transaction information. We use this only to assess affordability and match you to suitable lenders.
- You give explicit consent at the point of connection, and you can withdraw it at any time.
- Consent typically lasts up to 90 days, after which we’ll ask again if needed.
- Your transaction data may include limited information about third parties you pay or are paid by (such as a name and sort code). We use this only to assess affordability and detect existing financial commitments, and we minimise what we keep.
- We never see or store your banking login, and your bank connection is held securely.
7. Who we share your data with
We share data only as needed to provide the service, and we name our providers.
Service providers (processors) — acting on our instructions only:
- Our Open Banking provider, to read your bank transactions if you connect your bank (see the Open Banking section above).
- Companies House, for company and director lookups (public register).
- Our identity and sanctions screening provider, for director identity, sanctions and PEP checks.
- Our cloud hosting provider, for secure hosting and storage in the UK.
- Our e-signature, email and SMS providers, when those features are in use.
Direct connections (separate controllers, not our processors) — if you connect your accounting software, it is connected directly under your authorisation to read your figures. The platform is the controller of its own data.
Lenders — when we place your application, the lender receives your application and supporting information and becomes a separate controller of that data under its own privacy policy.
We may also disclose data to regulators and authorities where we are legally required to. We do not sell your data, and we do not use it for third-party advertising.
8. Credit reference and fraud-prevention agencies
To assess applications, verify identity and meet our legal duties to prevent fraud and money laundering, we may carry out checks using credit reference agencies and fraud-prevention agencies.
Where you consent to a credit search, it is a ‘soft’ search that does not affect your credit score, though the agency may keep a record of it. The credit reference agencies have produced a Credit Reference Agency Information Notice (CRAIN) explaining how they use your data.
If we or a fraud-prevention agency conclude that you pose a fraud or money-laundering risk, we may refuse to provide our services. A record may be kept by those agencies for up to six years and may be used by other organisations to make their own decisions. Further detail is in the fraud-prevention agencies’ fair processing notice.
Fraud-prevention agencies may transfer your data outside the UK only where safeguards are in place to protect it to UK standards. Your rights over this data are set out below.
9. Your rights
You can ask us to: access your data; correct it; erase it; restrict or object to processing; receive it in a portable format; not be subject to solely automated decisions that significantly affect you (see automated decisions, above); and withdraw consent at any time.
To exercise any right, contact privacy@tailwind-finance.co.uk. We’ll respond within one month(we may extend by up to two further months for complex requests, and will tell you if so). There’s no fee, unless a request is manifestly unfounded or excessive. We may ask you to verify your identity first.
You can opt out of marketingat any time using the unsubscribe link in any marketing email, or by contacting us — this won’t stop the service messages you need to receive.
You also have the right to complain to the ICO, though we’d appreciate the chance to put things right first.
Where the law requires us to keep certain records (for example, financial records for six years), we may need to retain data even after a request — in which case we restrict its use rather than delete it.
10. How long we keep your data
- Records relating to a funding application or agreement: up to 6 years (financial record-keeping).
- KYB / due-diligence records: up to 5 years after our relationship ends.
- Enquiries that don’t proceed: a shorter period.
- Marketing data: until you opt out.
11. How we protect your data
We use appropriate technical and organisational measures to protect your data, including encryption of sensitive data in transit and at rest, strict access controls, and keeping your data in the UK. No system can be guaranteed completely secure, but we work to protect your information and to meet our legal obligations.
12. International transfers
We process your data in the UK. Where a provider processes data outside the UK, we rely on UK ‘adequacy’ regulations or the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses to keep it protected.
13. Children
Our service is for businesses and is not directed at anyone under 18. We only process a child’s data where it is incidental and necessary — for example, where a child is a beneficial owner of a business that is our customer and we must verify who our customer is. We do not market to children.
14. Other websites we link to
Our site may link to websites we don’t control. We’re not responsible for their privacy practices, and we encourage you to read the privacy notice of any site you visit.
15. Cookies
We use as few cookies as possible and do not use advertising or cross-site tracking cookies. See our Cookie Policy for the cookies we use and how to manage them.
16. Changes and contact
We’ll update this policy as our service changes and post the new version here. For any questions or requests, contact privacy@tailwind-finance.co.uk.