Data Protection & UK GDPR Policy

Data Protection & UK GDPR Policy

Last Updated: June 2026

Nuventra Limited ("Nuventra", "we", "us" or "our") is committed to protecting personal information and handling data fairly, securely and responsibly.

Nuventra Limited is currently progressing an application for FCA authorisation. Whilst authorisation is pending, this policy is written to reflect our commitment to UK data protection law, good governance, fair customer treatment and recognised industry best practice. We do not state that Nuventra is currently FCA authorised.

Who We Are

Nuventra Limited
Company Number: 16516640
Registered Office: 20 Wenlock Road, London, England, N1 7GU
Trading Address: Cohav House, 17 Aviation Way, Southend-on-Sea, Essex, SS2 6UN
Email: customer@nuventra.co.uk
Website: www.nuventra.co.uk
Telephone: Coming Soon
ICO Registration: Application Pending
FCA Status: Authorisation Application in Progress

Purpose Of This Policy

This policy explains how Nuventra manages personal data in connection with our website, customer communications, account management activities, support processes and business operations.

It applies to personal data relating to customers, former customers, representatives, third parties, advisers, suppliers and any other individuals whose personal information we process.

Our Role As Data Controller

In most cases, Nuventra Limited acts as a Data Controller. This means we decide why personal data is collected, how it is used, how long it is retained and how it is protected.

Where we use third-party suppliers, such as IT providers, mailing providers, tracing services or other operational partners, those organisations may act as Data Processors and must process personal data only in accordance with our instructions and appropriate contractual safeguards.

Lawful Bases For Processing

We only process personal data where we have a lawful basis under UK GDPR. Depending on the activity, this may include:

• Legitimate interests — for example, managing accounts, communicating with customers, preventing fraud, tracing, risk management and improving processes.
• Legal obligation — for example, complying with statutory requirements, court orders, tax, audit or regulatory reporting obligations.
• Contract — where processing is necessary to perform or take steps connected with an agreement.
• Consent — where required, including in certain circumstances involving special category data.

Types Of Personal Data We May Process

Depending on the circumstances, we may process:

• Identification details, including name, address and date of birth
• Contact details, including email address, telephone number and postal address
• Account and financial information, including balances, payment history and repayment arrangements
• Communication records, including emails, letters, call notes and messages
• Information received from customers, authorised representatives or advisers
• Credit, risk, tracing or address-verification information where lawful and necessary
• Support or vulnerability-related information voluntarily provided by customers
• Website and technical data, including IP address, device information and analytics data

We apply data minimisation principles and only collect information that is relevant and necessary.

Vulnerability And Sensitive Information

Some customers may choose to share information about health, personal circumstances, financial difficulty or other support needs. We treat this information with additional care.

Where such information is recorded, we will:

• Record only what is necessary to provide appropriate support
• Use respectful and neutral wording
• Restrict access to staff who need to know
• Review information where appropriate
• Delete or anonymise information when it is no longer required

Where special category data is processed, we will ensure an appropriate lawful basis and condition for processing applies.

How We Use Personal Data

We may use personal data to:

• Communicate with customers and authorised representatives
• Manage accounts and customer support activity
• Assess financial difficulty or vulnerability support needs
• Review affordability and repayment arrangements where appropriate
• Investigate and respond to complaints
• Comply with legal and regulatory obligations
• Prevent fraud, financial crime and misuse of services
• Improve our processes, systems and customer experience

Sharing Personal Data

We may share personal data where lawful and necessary with:

• Authorised representatives, debt advisers or third parties acting on behalf of a customer
• Solicitors, courts or legal representatives where required
• Tracing, verification, mailing, printing or IT service providers
• Professional advisers, auditors or insurers
• Regulators, public authorities or law enforcement agencies where legally required

We do not sell personal data.

International Transfers

Our default position is to keep personal data within the United Kingdom or European Economic Area where possible.

If personal data must be transferred outside the UK or EEA, we will ensure that appropriate safeguards are in place, such as adequacy regulations, standard contractual clauses, the UK International Data Transfer Agreement or another lawful transfer mechanism.

Security Of Personal Data

We use appropriate technical and organisational measures to protect personal data from unauthorised access, loss, misuse, alteration or disclosure.

These measures may include:

• Access controls and role-based permissions
• Secure systems and password controls
• Encryption where appropriate
• Multi-factor authentication where available
• Secure backups and disaster recovery processes
• Staff training and confidentiality obligations
• Monitoring and review of security practices

Data Breaches And Incident Management

A data security incident is any event that leads to, or may lead to, unauthorised access, loss, alteration, disclosure or destruction of personal data.

If a suspected data breach occurs, we will:

• Record and investigate the incident promptly
• Take steps to contain and resolve the issue
• Assess any risk to affected individuals
• Notify the Information Commissioner's Office where legally required
• Notify affected individuals where required
• Review lessons learned to reduce future risk

Data Subject Rights

Under UK GDPR, individuals have rights in relation to their personal data. These may include:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure, where applicable
• The right to restrict processing
• The right to object to certain processing
• The right to data portability, where applicable
• Rights relating to automated decision-making and profiling, where applicable

To exercise your rights, please contact us at customer@nuventra.co.uk. We may need to verify your identity before responding.

Retention And Deletion

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal, contractual, audit, complaint handling and record-keeping requirements.

When personal data is no longer required, it will be securely deleted, anonymised or irreversibly destroyed where appropriate.

Governance, Monitoring And Review

Nuventra will maintain appropriate data protection governance arrangements, including policy reviews, internal monitoring, staff training and records of processing activities where required.

Where processing is likely to result in a high risk to individuals, we will consider whether a Data Protection Impact Assessment is required.

Complaints And The ICO

If you have concerns about how we process personal data, please contact us first so we can investigate and respond.

You also have the right to contact the Information Commissioner's Office:

Website: ico.org.uk
Telephone: 0303 123 1113

Contact Details

Nuventra Limited
Cohav House
17 Aviation Way
Southend-on-Sea
Essex
SS2 6UN

Email: customer@nuventra.co.uk