Skip to main content

Privacy Policy

Last updated: 1 June 2026 · Version 1.0

This Privacy Policy explains how Calion Group Ltd (“Calion”, “we”, “us”) collects, uses, shares, and protects personal data when you use our website, platform, and related services (together, the “Service”). It applies to small and medium-sized businesses (“SMEs”) that apply for merchant cash advance funding through us, to investors who fund advances through the platform, to brokers and partners, and to anyone whose personal data we receive in connection with the Service (for example, company directors and beneficial owners).

Calion operates only in the United Kingdom and the Republic of Ireland. We process personal data in compliance with the UK General Data Protection Regulation (the “UK GDPR”) and the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “EU GDPR”) and the Irish Data Protection Act 2018.

1. Who we are and how to contact us

Calion Group Ltd is the data controller for the personal data described in this notice. Our company details are:

  • Registered office: [to be inserted]
  • Company number: [to be inserted]
  • ICO registration number: [to be inserted]
  • Data protection enquiries: privacy@calion.ie
  • General enquiries: info@calion.ie

We have not appointed a statutory Data Protection Officer because we are not required to do so under Article 37 of the UK / EU GDPR. Our privacy lead is reachable at the privacy@ address above.

2. What personal data we collect

The categories of personal data we collect depend on how you interact with us.

2.1 Account and identity data

  • Name, email address, password (hashed), role, language preferences.
  • Two-factor authentication credentials (one-time codes, backup codes).

2.2 Business and applicant data

  • Trading name, registered name, company registration number, VAT number, address.
  • Director and beneficial-owner names, dates of birth, addresses, and roles.
  • Industry, years trading, employee count, revenue band.

2.3 Financial data

  • Bank account details and transaction history obtained through Open Banking (with your explicit consent each time).
  • Card or merchant-acquirer transaction summaries (where you connect a payments provider).
  • Credit-bureau signals (where lawful), including credit score bands and adverse indicators.

2.4 KYC, AML, and sanctions data

  • Identification documents (passport, driving licence, national ID), proof of address documents, selfie or liveness images where used.
  • Sanctions, PEP, and adverse-media screening results.
  • Source-of-funds declarations where required.

2.5 Communications and usage data

  • Support messages, in-app chat, email correspondence.
  • Audit log of in-app actions (logins, MFA enrolment, application submissions, advance status changes, repayments).
  • Technical data: IP address, browser type, device type, operating system, time-zone, and similar telemetry.

2.6 Marketing data

  • Your contact preferences and your responses to our communications.

3. Where we get personal data from

  • Directly from you when you create an account, apply, or contact us.
  • From your company's authorised representatives where another person submits the application or invites you to the platform.
  • From third-party data sources we use to verify identity and creditworthiness: Open Banking providers, credit bureaux, Companies House, sanctions and PEP screening databases.
  • From your device, automatically (cookies and similar technologies; see section 12).

4. Why we use personal data and our legal bases

PurposeCategories of dataLegal basis (Article 6 UK/EU GDPR)
Provide the Service: create your account, present offers, originate advances.Account, business, financial, communications.Performance of a contract with you, or steps to enter into one (Art. 6(1)(b)).
Identity verification, KYC, AML, sanctions and PEP screening.Identity, KYC.Legal obligation (Art. 6(1)(c)) under the Money Laundering Regulations 2017 and equivalent Irish law.
Underwriting and credit decisioning (including automated processing — see section 11).Business, financial, KYC.Performance of a contract (Art. 6(1)(b)) and our legitimate interests in pricing risk fairly (Art. 6(1)(f)).
Fraud prevention, platform security, abuse detection.All categories.Legitimate interests in preventing fraud and protecting users (Art. 6(1)(f)) and legal obligation where applicable.
Record-keeping for financial-services regulatory purposes.All categories.Legal obligation (Art. 6(1)(c)).
Service improvement and analytics.Usage, technical.Legitimate interests in improving the Service (Art. 6(1)(f)). You can object — see section 8.
Marketing communications.Account, marketing.Your consent (Art. 6(1)(a)). You can withdraw consent at any time.

5. Who we share personal data with

We share personal data only with carefully selected recipients and only as needed to provide the Service or meet a legal obligation. Recipients include:

  • Service providers (sub-processors) who host the platform, send email, provide AI inference, run KYC checks, and similar functions. Our current list is at /legal/sub-processors.
  • Funders and investors with whom your application is shared (with your knowledge) so they can make a funding decision.
  • Credit bureaux to whom we may report advance performance, in line with industry standards.
  • Regulators, courts, law-enforcement, and tax authorities where we are required by law to disclose information.
  • Professional advisers (lawyers, auditors, accountants) under duties of confidentiality.
  • Prospective buyers of all or part of our business, under confidentiality, in connection with a sale or restructuring.

We do not sell personal data, and we do not share it with advertising networks for behavioural advertising.

6. International transfers

We store personal data within the UK and the European Economic Area (EEA) wherever possible. Some of our sub-processors (e.g. Anthropic, certain hosting components) may process data in the United States. Where personal data is transferred outside the UK or EEA we rely on one of the following safeguards:

  • An adequacy decision by the UK Government or the European Commission (e.g. the UK-US Data Bridge / EU-US Data Privacy Framework for certified recipients).
  • The European Commission Standard Contractual Clauses (2021) combined with the UK International Data Transfer Addendum (IDTA), supported by a transfer risk assessment.

You can request a copy of the safeguards we rely on by emailing privacy@calion.ie.

7. How long we keep personal data

We keep personal data only for as long as we need it. Specific retention periods include:

  • Application and advance records: 6 years from the end of the relationship, in line with UK financial-services record-keeping expectations and the Limitation Act 1980 / Irish Statute of Limitations.
  • KYC and AML records: 5 years from the end of the business relationship, as required by the Money Laundering Regulations 2017.
  • Audit logs: 7 years, then archived in secure cold storage for 1 further year before deletion.
  • Marketing data: until you withdraw consent, plus a short suppression-list retention to honour your opt-out.
  • Support correspondence: 3 years from the last interaction.

Where data is kept beyond active use it is held in a restricted, access-controlled archive.

8. Your rights

Under the UK GDPR and EU GDPR you have the following rights, free of charge:

  • Right of access — to obtain a copy of the personal data we hold about you.
  • Right to rectification — to have inaccurate data corrected.
  • Right to erasure (“right to be forgotten”) — in defined circumstances; this does not override our legal record-keeping obligations.
  • Right to restrict processing — to pause our processing while a dispute is resolved.
  • Right to data portability — to receive certain data in a structured, commonly used, machine-readable format.
  • Right to object — to processing carried out on the basis of legitimate interests, including profiling.
  • Rights related to automated decision-making — see section 11.
  • Right to withdraw consent — at any time, where we rely on consent (without affecting prior lawful processing).

To exercise any right, email privacy@calion.ie. We will respond within one month and may ask you to verify your identity before disclosing personal data.

9. How to complain

If you are unhappy with how we have handled your personal data, please contact us first. You also have the right to complain to a supervisory authority:

10. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, audit logging, two-factor authentication for privileged accounts, vulnerability scanning, and regular review. More detail is on our Security page. No method of transmission or storage is completely secure; we will notify affected users and the relevant supervisory authority where required if a personal data breach occurs.

11. Automated decision-making and profiling

We use automated processing — including AI-assisted credit underwriting — to evaluate applications, set indicative offer parameters, and prioritise human review. Profiling feeds into pricing and approval recommendations. A qualified human reviewer makes or confirms every funding decision before any advance is issued; we do not rely on solely automated decisions that produce legal or similarly significant effects on you within the meaning of Article 22 UK/EU GDPR.

You have the right to request meaningful information about the logic involved, the significance of the processing, and the envisaged consequences, and to contest a decision. Email privacy@calion.ie to exercise this right.

12. Cookies and similar technologies

We use a small number of essential cookies to keep you signed in, remember your preferences, and protect against abuse. Where we use non-essential cookies (for example, analytics), we ask for your consent first via a cookie banner, and you can change your preferences at any time. Our Cookie Notice (where one is in force) is linked from the cookie banner.

13. Children

The Service is intended for businesses and is not directed at children. We do not knowingly collect personal data from anyone under 18.

14. Changes to this notice

We will update this notice from time to time. The “Last updated” date at the top reflects when it last changed. If the changes are material, we will notify you (for example, by email or in-app banner) before they take effect.

15. Contact

Data protection enquiries: privacy@calion.ie. Postal address: as in section 1.