1. INTRODUCTION

URCASH Financial Platform Services UK Limited ("URCASH," "we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, process, disclose, and safeguard your personal information when you use our peer-to-peer (P2P) lending platform and related services.

Company Details

Registered Name: URCASH Financial Platform Services UK Limited

Company Number: 16389705 (England & Wales)

Registered Address: 20 Wenlock Road, London, England, N1 7GU

Contact Information

Email: privacy@urcash.co.uk

Phone: +44(0) 808 271 0446

2. JURISDICTIONAL SCOPE

This Privacy Policy applies to users and data subjects in:

United Kingdom UK GDPR compliance
European Union EU GDPR compliance
India Digital Personal Data Protection Act 2023 compliance
United States State privacy laws including CCPA, CPRA, and federal regulations

3. DATA CONTROLLER INFORMATION

Primary Data Controller

URCASH Financial Platform Services UK Limited serves as the primary data controller for all personal data processed through our platform.

Representative Contacts

EU Representative

[To be appointed upon EU operations]

India Representative

[To be appointed upon India operations]

US Representative

[To be appointed upon US operations]

4. PERSONAL DATA WE COLLECT

4.1 Information You Provide Directly

Account Registration

Identity Information Full name, preferred name, date of birth, nationality
Contact Information Email address, phone number, residential and business addresses
Documentation Government-issued identification documents
Financial Information Employment information, income details, bank account and payment information

Investment and Lending Information

  • Investment capacity and risk tolerance
  • Credit history and financial statements
  • Loan applications and supporting documents
  • Investment preferences and objectives
  • Tax identification numbers

4.2 Information We Collect Automatically

Technical Data IP address, geolocation data, device identifiers, browser information
Usage Data Website usage patterns, analytics, platform usage statistics
Transaction Data Payment processing information, transaction history and amounts
Security Data Security and fraud detection data, cookies and tracking technologies

4.3 Information from Third Parties

Financial Data Providers

  • Credit reference agencies (UK: Experian, Equifax; US: FICO, etc.)
  • Banking data through Open Banking APIs
  • Investment platform integrations
  • Identity verification services

Regulatory and Compliance

  • Anti-money laundering (AML) databases
  • Sanctions screening services
  • Politically Exposed Person (PEP) databases
  • Fraud prevention networks

6. HOW WE USE YOUR PERSONAL DATA

6.1 Primary Business Purposes

Platform Services

  • Account creation and management
  • Identity verification and KYC compliance
  • Credit assessment and risk evaluation
  • Loan matching and investment facilitation
  • Payment processing and transaction management

Regulatory Compliance

  • Anti-money laundering (AML) monitoring
  • Know Your Customer (KYC) verification
  • Regulatory reporting to FCA, RBI, SEC, and other authorities
  • Sanctions screening and compliance
  • Consumer protection measures

6.2 Secondary Purposes

Marketing & Communications Product updates, educational content, promotional offers (with consent)
Analytics & Research Platform usage analytics, market research, product optimization
Customer Support Customer service, platform security, fraud prevention
Business Intelligence Risk model development, consumer behavior insights

7. DATA SHARING AND DISCLOSURE

7.1 Service Providers and Partners

Financial Service Providers Payment processors, banks, credit reference agencies, investment platforms
Technology Providers Cloud hosting (AWS, Google Cloud, Azure), analytics, security services
Support Services Customer support platforms, marketing tools, communication services

7.2 Regulatory and Legal Disclosures

Financial Regulators

  • Financial Conduct Authority (FCA) - UK
  • Reserve Bank of India (RBI) - India
  • Securities and Exchange Commission (SEC) - USA
  • European Securities and Markets Authority (ESMA) - EU
  • Consumer Financial Protection Bureau (CFPB) - USA

7.3 Business Transfers

In the event of merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to appropriate safeguards and notice requirements.

8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Mechanisms

UK Transfers

  • Adequacy decisions by the UK government
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • International Data Transfer Agreements (IDTAs)

EU Transfers

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • Derogations for specific situations

India & US Transfers

  • Government-notified countries (India)
  • Privacy Shield Framework (US, where applicable)
  • Contractual safeguards and data protection agreements
  • State-specific transfer requirements (US)

8.2 Cross-Border Processing Locations

Primary: United Kingdom, European Union

Secondary: United States, India

Cloud Providers: AWS (multiple regions), Google Cloud, Microsoft Azure

9. DATA RETENTION

9.1 General Retention Periods

Data Type Retention Period Purpose
Account Data Duration of relationship + 7 years Regulatory compliance
Transaction Records 5-8 years (varies by jurisdiction) Financial regulations
Communication Records 3-7 years Customer service & regulatory
Marketing Data Until consent withdrawn or 2 years inactivity Marketing consent management

9.2 Legal Retention Requirements by Jurisdiction

UK Requirements FCA: 5-7 years for financial records, Companies Act: 6 years for accounting
EU Requirements MiFID II: 5 years for investment records, AML Directives: 5 years
India Requirements RBI NBFC: 8 years for lending records, Companies Act: 8 years for financial
US Requirements SEC: 5-7 years for investment records, BSA: 5 years for financial records

10. YOUR PRIVACY RIGHTS

UK and EU GDPR Rights

  • Right of Access: Request copies of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Transfer data to another service provider
  • Right to Object: Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making: Challenge automated decisions

India DPDPA Rights

  • Right to Information: Know what data is being processed
  • Right to Correction and Erasure: Correct or delete personal data
  • Right to Grievance Redressal: Complaint mechanism
  • Right to Nomination: Appoint nominee for deceased persons
  • Right to Data Portability: Transfer data to another fiduciary

US State Privacy Rights (CCPA/CPRA)

  • Right to Know: What personal information is collected
  • Right to Delete: Personal information deletion
  • Right to Opt-Out: Of sale/sharing of personal information
  • Right to Non-Discrimination: For exercising privacy rights
  • Right to Correct: Inaccurate personal information
  • Right to Limit Use: Of sensitive personal information

10.4 How to Exercise Your Rights

Contact Methods

Email: privacy@urcash.co.uk

Phone: +44(0) 808 271 0446

Mail: Privacy Officer, URCASH Financial Platform Services UK Limited, 20 Wenlock Road, London, England, N1 7GU

Online Portal: [To be implemented]

Response Times

UK/EU: 1 month (extendable to 3 months)

India: Reasonable time as specified

US: 45 days (extendable to 90 days)

11. COOKIES AND TRACKING TECHNOLOGIES

11.1 Types of Cookies We Use

Essential Cookies

  • Authentication and security
  • Session management
  • Load balancing and performance
  • Fraud prevention

Analytics Cookies

  • Google Analytics (anonymized IP)
  • Platform usage statistics
  • Performance monitoring
  • Error tracking

Marketing Cookies

  • Advertising campaign tracking
  • Social media integration
  • Conversion tracking
  • Personalization (with consent)

11.2 Cookie Consent Management

UK/EU Explicit consent required for non-essential cookies via cookie banner
India Consent-based approach for all cookies that collect personal data
US Notice-based approach with opt-out options where required by state law

12. SECURITY MEASURES

12.1 Technical Safeguards

🔒

Encryption

TLS 1.3 for data in transit, AES-256 for data at rest

🛡️

Access Controls

Multi-factor authentication, role-based access control

🌐

Network Security

Firewalls, intrusion detection, DDoS protection

🔍

Monitoring

24/7 security monitoring and incident response

12.2 Organizational Safeguards

Staff Training Regular privacy and security training, confidentiality agreements
Policies & Procedures Data protection policies, incident response procedures
Background Checks For sensitive roles, vendor management and due diligence
Business Continuity Planning and disaster recovery procedures

12.3 Compliance and Certifications

Security Standards

  • ISO 27001 Information Security Management
  • SOC 2 Type II compliance
  • PCI DSS for payment processing
  • Financial services security frameworks

13. DATA BREACH NOTIFICATION

13.1 Incident Response

Detection & Assessment 24/7 monitoring, rapid response team, risk assessment
Containment Immediate containment and remediation measures

13.2 Notification Timelines

UK/EU

Regulatory notification within 72 hours

Individual notification without undue delay

India

Notification as required by DPDPA

Regulatory guidelines compliance

US

Notification as required by state laws

Typically 30-60 days

14. CHILDREN'S PRIVACY

Age Restrictions

UK/EU: No services to individuals under 18

India: No services to individuals under 18

US: No services to individuals under 18 (21 in some states for financial services)

Verification Measures

  • Age verification during registration
  • Government ID verification
  • Parental consent mechanisms where legally required
  • Immediate deletion of data if collected from minors inadvertently

15. AUTOMATED DECISION-MAKING AND PROFILING

15.1 Credit Scoring and Risk Assessment

Automated Systems Credit scoring algorithms, fraud detection, investment suitability assessments
Human Oversight Regular algorithm audits, human review, appeal mechanisms

15.2 User Rights Regarding Automation

  • Right to obtain human intervention
  • Right to express point of view and contest decisions
  • Right to explanation of automated decision-making logic
  • Right to request manual review of algorithmic decisions

16. THIRD-PARTY LINKS AND SERVICES

Disclaimer

Our platform may contain links to third-party websites and services. This Privacy Policy does not apply to third-party sites, and users should review their respective privacy policies.

Integrations

Social Media Optional social media login, sharing capabilities
Partner Services Investment platforms, payment processors, credit agencies

17. PRIVACY BY DESIGN

17.1 Data Protection Principles

Data Minimization Collect only data necessary for specified purposes
Purpose Limitation Use data only for stated purposes
Storage Limitation Retain data only as long as necessary
Accuracy Maintain accurate and up-to-date personal data
Security Implement appropriate technical and organizational measures
Accountability Demonstrate compliance with data protection requirements

18. CONTACT INFORMATION AND COMPLAINTS

18.1 Privacy Officer Contact

Primary Contact

Email: privacy@urcash.co.uk

Phone: +44(0) 808 271 0446

Address: Privacy Officer, URCASH Financial Platform Services UK Limited, 20 Wenlock Road, London, England, N1 7GU

18.2 Regulatory Complaints

UK

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

EU

Relevant national data protection authority in your country

India

Data Protection Board (once established)

US

Relevant state attorney general's office or consumer protection agency

19. UPDATES TO THIS PRIVACY POLICY

This Privacy Policy may be updated periodically to reflect changes in legal and regulatory requirements, business practices, technology, and corporate structure.

Notification of Changes

  • Email notification for material changes
  • Website notice and updated effective date
  • 30-day advance notice for significant changes
  • Continued use constitutes acceptance of updates

20. GOVERNING LAW AND DISPUTE RESOLUTION

20.1 Applicable Law

Primary Jurisdiction: English law and UK data protection regulations

Additional Jurisdictions: EU Member State laws, Indian data protection laws, US federal and state laws where applicable

20.2 Dispute Resolution

  1. First Step: Contact our Privacy Officer for informal resolution
  2. Alternative Dispute Resolution: Mediation through recognized ADR providers
  3. Legal Action: Courts of England and Wales have exclusive jurisdiction, subject to local consumer protection laws

This Privacy Policy is effective as of August 6, 2025, and supersedes all previous versions.

© 2025 URCASH Financial Platform Services UK Limited. All rights reserved.