Legal

Website Privacy Policy

The Working Capital Group Limited t/a WorkCap — how we collect, use and protect personal data.

Last updated: May 2026

This Privacy Policy explains how we collect, use and protect personal data through our website and in connection with enquiries made through it.

Our website and services are intended for business users only. We do not provide services to consumers. However, we may process personal data relating to individuals acting in a business, professional, employment, office-holder, debtor, supplier, adviser or representative capacity.

Our website is not intended for children and we do not knowingly collect data relating to children.

1. Who we are

The Working Capital Group Limited t/a WorkCap is the controller responsible for personal data processed through this website. We are a company registered in England and Wales under number 12718354, with our registered office at Suite 1b Quadrant House North, 65 Croydon Road, Caterham, Surrey, CR3 6PB, United Kingdom. We are registered with the Information Commissioner's Office under registration number ZA796528.

Our data protection contact (we are not required to appoint a statutory Data Protection Officer under Article 37 UK GDPR) can be reached at dpo@workcap.co.uk or by post at: Data Protection Manager, Suite 1b Quadrant House North, 65 Croydon Road, Caterham, Surrey, CR3 6PB, United Kingdom.

You have the right to complain to the Information Commissioner's Office at ico.org.uk. We would appreciate the opportunity to deal with your concerns first, so please contact us before approaching the ICO where possible. If your concern relates to our services rather than data protection, please see our Complaints procedure.

2. Personal data we collect

We may collect and use the following categories of personal data:

  • Identity data, such as your name, job title, business role and organisation.
  • Contact data, such as business email address, telephone number, postal address and communication details.
  • Business enquiry data, such as information you submit through website forms or correspondence with us.
  • Technical and usage data, such as IP address, browser type, device information, pages viewed and how you use the website.
  • Marketing and communications data, such as your communication preferences and whether you have opted out of marketing.
  • Service-related data, where you become a client, supplier, referrer or business contact of WorkCap.
  • Financial and transaction data, where necessary in connection with a client, supplier or service relationship rather than ordinary website browsing.

We do not knowingly collect special category personal data through this website. Please do not submit such information through website forms unless specifically requested.

We may also use aggregated or anonymised data for analysis, service improvement and reporting. Where data can no longer identify an individual, it is not personal data.

3. How we collect personal data

We may collect personal data directly from you when you contact us, complete a form, subscribe to updates, communicate with us or use our website.

We may also collect technical and usage data automatically through cookies and similar technologies, as explained in section 10 and in our Cookies Policy.

Where relevant to our services, we may use publicly available sources, company registers, insolvency records, credit reference agencies and other lawful third-party sources to verify business information, assess enquiries, manage risk and provide our services.

Where we act on behalf of a client in connection with a commercial debt, credit operation or advisory matter, we may receive personal data about debtors, guarantors, directors and related contacts from our client, public registers, credit reference and tracing agencies, insolvency practitioners, legal representatives and other lawful sources. We will provide affected individuals with the information required by Article 14 UK GDPR where appropriate, unless an exemption applies (for example, where doing so would involve disproportionate effort or would prejudice the recovery, investigation or defence of legal claims).

4. How we use personal data

We will only use personal data where the law allows us to. We may use personal data to:

  • respond to enquiries and communicate with you;
  • assess whether our services may be suitable for your business;
  • provide, manage and improve our website and services;
  • manage client, supplier, debtor, adviser and business-contact relationships;
  • carry out verification, risk, compliance and audit checks;
  • protect our business, website, systems, rights and records;
  • send business-to-business marketing communications where permitted by law;
  • comply with legal, regulatory, accounting and reporting obligations.

5. Lawful bases for processing

Depending on the circumstances, we may rely on one or more of the following lawful bases:

  • Contract, where processing is necessary to take steps before entering into a contract or to perform a contract with you or your organisation.
  • Legal obligation, where processing is necessary to comply with a legal or regulatory duty.
  • Legitimate interests, where processing is necessary for our business interests or those of a third party and those interests are not overridden by your rights.
  • Consent, where required, including for certain marketing communications and non-essential cookies.

Our legitimate interests include running and protecting our business, responding to business enquiries, providing services, managing risk, recovering sums due, improving our website and services, and developing business relationships.

6. Marketing

We will only send marketing communications where permitted by law. This may include where you have consented, where you are an existing business contact and have not opted out, or where another lawful basis applies.

You can opt out of marketing at any time by using the unsubscribe option in our communications or by contacting us. We will not sell your personal data or share it with third parties for their own marketing purposes.

7. Sharing personal data

We may share personal data with:

  • service providers who support hosting, IT, security, analytics, communications, workflow automation, AI-assistance, error monitoring and back-office services;
  • professional advisers including lawyers, accountants, auditors, insurers and bankers;
  • clients, suppliers, referrers, insolvency practitioners, legal representatives and business counterparties where relevant to our services;
  • credit reference, fraud prevention, tracing, verification and risk-information providers where relevant;
  • HM Revenue & Customs, regulators, courts, law-enforcement bodies and other authorities where required or permitted by law;
  • potential purchasers, investors or advisers in connection with a business sale, merger, investment or reorganisation.

Where a third party processes personal data on our behalf, we require them to protect it and use it only for authorised purposes.

8. International transfers

Some of our service providers may process personal data outside the United Kingdom. Where we transfer personal data outside the UK, we use appropriate safeguards, such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or another lawful transfer mechanism.

You can contact us for further information about the safeguards used for international transfers.

9. Data security and retention

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. Access is limited to those with a business need to know.

We keep personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting, regulatory, reporting and business-record purposes.

Typical retention periods are:

  • website enquiry and contact-form records: up to 24 months, unless they become part of an active client, supplier, debtor or business relationship;
  • client, supplier and business relationship records: generally at least 6 years after the relationship ends, where required for legal, tax, accounting or claims purposes;
  • files relating to a debt, recovery or advisory matter: retained for at least 6 years from closure, or longer where required to bring or defend legal claims under the Limitation Act 1980, or to comply with regulatory, professional or insurer requirements;
  • cookies and analytics data: as explained in our Cookies Policy.

We may anonymise data so that it can no longer identify an individual. We may use anonymised data indefinitely.

10. Cookies and similar technologies

Our website uses cookies and similar technologies to distinguish you from other users, remember your preferences, measure how the website is used and improve the service we offer.

Strictly necessary cookies are set without your consent because they are required for the website to function. All other cookies, including analytics and marketing cookies, are only set where you have given your consent through our cookie consent tool.

We use Google Consent Mode v2 so that non-essential analytics cookies are denied by default unless and until you opt in. You can accept, reject or manage non-essential cookies when you first visit the website, and you can change your preferences at any time using the "Cookie preferences" link in the website footer. Further details are set out in our Cookies Policy.

11. AI-assisted tools and automated decision-making

We may use AI-assisted tools to support internal administration, drafting, classification, analysis, customer support, risk review and service improvement.

We do not make decisions about individuals that have legal or similarly significant effects based solely on automated processing. In particular, we do not use AI tools to make solely automated decisions about a person's creditworthiness, ability to pay, or enforcement action. Where AI-assisted outputs may affect a client, customer, debtor or other individual, they are subject to appropriate human review before action is taken.

We take steps to minimise personal data used with such tools and use appropriate contractual and security safeguards.

12. Your rights

Subject to legal conditions and exemptions, you may have the right to:

  • request access to your personal data;
  • ask us to correct inaccurate or incomplete personal data;
  • ask us to erase personal data in certain circumstances;
  • object to processing based on legitimate interests or to direct marketing;
  • ask us to restrict processing in certain circumstances;
  • request data portability where applicable;
  • withdraw consent where processing is based on consent;
  • challenge solely automated decisions where applicable;
  • complain to the Information Commissioner's Office or, if you are in the EU/EEA, your local supervisory authority.

To exercise your rights, contact dpo@workcap.co.uk. We may need to verify your identity before responding. We usually respond within one month, although this may take longer where permitted by law for complex or multiple requests.

13. Third-party links

Our website may contain links to third-party websites, plug-ins or services. We are not responsible for their privacy practices. You should read their privacy information before providing personal data to them.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The last updated date above shows when it was most recently revised. Material changes will be brought to your attention by a prominent website notice or other appropriate means.

We review this Privacy Policy at least annually.

15. EU/EEA users

WorkCap is established in the United Kingdom and our processing is primarily governed by the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR), regulated by the Information Commissioner's Office.

Where we offer services to, or monitor the behaviour of, individuals located in the European Union or European Economic Area, the EU General Data Protection Regulation ((EU) 2016/679) ("EU GDPR") may also apply under Article 3(2). In that case:

  • you have the same substantive rights under EU GDPR as those set out in section 12 above;
  • you may lodge a complaint with the supervisory authority of your habitual residence, place of work or place of the alleged infringement, in addition to (or instead of) the UK Information Commissioner's Office;
  • where required under Article 27 EU GDPR, we will appoint an EU representative and publish their contact details here. If you are an EU/EEA-based individual and wish to confirm the position, please contact dpo@workcap.co.uk.