%3Aquality(80)%3Afill(transparent)&w=1080&q=75)
%3Aquality(80)%3Afill(transparent)&w=3840&q=75)
When you apply for business funding, data is central to the process. Lenders need information about your business to assess your application. Regulators require it to prevent fraud and financial crime. And the more accurate the picture we have of your business, the better we can match you with the right finance options.
We take that responsibility seriously. Capitalise is a regulated SME broker, which means we operate under strict rules about how data is collected, used, stored, and shared. This guide explains what data we collect and where it comes from, how we use it, and when and why we share it. It also covers the measures we have in place to keep it safe.
What data we collect and where it comes from
When you apply for business funding, you'll need to share some information about your business. Some of it comes from you directly and some of it is already in the public domain. Here's a breakdown of the types of data we collect and where it comes from.
Types of data we collect
There are three categories of data we work with. Each category serves a specific purpose in the funding process.
Business details
We collect basic information about your company, including your registration details, trading address, business activity, and the identities of directors, shareholders, and beneficial owners. Every regulated funding application requires this.
Financial data
Your financial data helps lenders understand the health of your business and assess whether the funding you're applying for is affordable. It includes:
We only collect this when you make a full application through our marketplace.
Credit data
Your credit data includes your business credit score and credit history, sourced from credit reference agencies including Experian. It tells lenders how your business has handled credit in the past, which influences both the likelihood of approval and the rates you're offered.
Where your data comes from
Data reaches your Capitalise account from four main sources:
You’ll provide us with information directly when you sign up and when you apply for funding. This includes personal identification documents and financial records. A lot of the data we hold is already publicly available. Companies House, for example, holds information about your business registration, filing history, and director records. We draw on this to build and verify your profile. We use Experian to access your business credit profile. This is the same data lenders use when they assess your application, and having access to it means you can see exactly how you look to potential lenders before you apply.
Open Banking is a secure, regulated way for you to share data from your business bank account with authorised platforms. Rather than gathering and uploading bank statements manually, you give permission for us to connect directly to your account. It's quicker for you and gives lenders a more accurate, up-to-date picture of your finances than documents alone. If your business has been trading well recently but that isn't yet reflected in your filed accounts, Open Banking can help tell the fuller story. We only collect data where it's necessary. We only ask for personal information like identity documents and bank statements when you make a full application, not before.
How we use your data
Without the right data, we can't assess what kind of funding your business is eligible for, identify the right lenders, or help you put together the strongest possible application. Here's how we put the data we hold to work.
Assessing eligibility and matching you with lenders
We use your business and financial data to assess your eligibility for different types of funding. We then match you with lenders whose criteria your business is most likely to meet. The more complete and accurate your profile, the more relevant your options will be.
Identity verification and compliance
As a regulated broker, we have legal obligations around identity verification. When you apply for funding, we need to confirm the identities of the directors, shareholders, and beneficial owners associated with your business. This is part of our Know Your Customer (KYC) obligations under the Money Laundering Regulations 2017. We also screen against sanctions lists and Politically Exposed Person (PEP) records as part of our anti-money laundering (AML) responsibilities. These checks exist to protect you as much as anyone. They're what keeps the lending market safe for legitimate businesses.
Fraud prevention and account management
Data plays a central role in detecting and preventing fraud across the financial system. We use the information we hold to identify inconsistencies, flag unusual patterns, and cross-check details against external databases. We also use your data to manage your account day-to-day, respond to queries, and provide ongoing support. Where required by our regulators, we record and monitor communications for quality control and compliance purposes. We only use your data for the purposes set out above. We never use it beyond what's necessary and never share it without your consent.
Consent and control
You stay in control of your data throughout your time on the Capitalise platform. When you sign up for a free account, we collect only the basic information needed to set it up. That means your name, contact details, and company information. We don't collect personal financial documents or detailed business information at this stage. More sensitive information, such as bank statements and identity documents, are only collected when you make a full application through our marketplace. At that point, you're giving us permission to use that information to find the right finance options for your business.
Lenders can only access your data if you've specifically selected them as part of an application. No lender sees your information unless you've chosen them. The same applies to accountants on the platform, who can only see data for businesses they've personally introduced.
Why we share data with lenders
Sharing data with lenders isn't optional. It's a fundamental part of how business lending works. Without it, a lender has no way to assess whether the funding you're applying for is right for your business, or whether your business is right for them.
What data is shared and with whom
When you select a lender and submit an application, we share what's relevant to that application. This typically includes your business and financial data, identity verification information, and your credit profile as provided by Experian. We share only what a lender needs to assess your application responsibly. We may also share your data with:
We never share your data without a lawful basis for doing so. We never sell your data to third parties. And we never share more information than is necessary for the specific purpose at hand.
How data sharing helps prevent fraud
Fraud is a serious and growing problem in business lending. Sharing data responsibly is one of the most effective tools available to prevent it, both for individual businesses and for the financial system as a whole. Here's how data verification works in practice.
Checks carried out at the application stage
Before a funding application is assessed, a series of verification checks take place. These draw on shared data from multiple sources and are designed to confirm that the business and its principals are who they say they are.
Know Your Customer (KYC) and Know Your Business (KYB)
KYC and KYB checks verify the identity of the business and the people behind it. We check company registration details, confirm the identities of directors and beneficial owners, verify the source of funds, and screen against sanctions lists and PEP databases. These checks are a legal requirement under the Money Laundering Regulations 2017.
Credit bureau and fraud database checks
Lenders run checks through Experian, Equifax, TransUnion, and CIFAS. CIFAS is the UK's fraud prevention service. It operates a shared database that its members, including banks, lenders, insurers, and other financial organisations, use to record and access information about confirmed or suspected fraud. When a member organisation identifies fraudulent conduct, it files a case to the database. That case then becomes visible to every other CIFAS member the next time that individual or business applies for a financial product or service. So if fraud has been associated with a business at any point, other lenders will see that history when they run their checks. A CIFAS marker doesn't mean an application is automatically refused, but it does trigger a more rigorous review, and in some cases will affect the outcome. It's one of the reasons why accurate and honest information at the application stage matters so much.
Confirmation of Payee
Confirmation of Payee is a name-checking service that runs before money is sent anywhere. It verifies that the business name on the destination account matches the account number and sort code being used. Before this service existed, banks could only check the numbers, not whether the name actually matched. That gap was exploited by fraudsters who would either manipulate payment instructions or impersonate suppliers to redirect money into accounts they controlled. CoP closes that gap. If the details don't match, the payment is flagged before it leaves the account, giving the sender the chance to investigate before any money moves.
Open Banking verification
Many lenders use Open Banking to access real-time business banking data, with your consent. With direct access to your actual income and cash flow figures, lenders don't have to rely solely on documents. This makes it much harder for fraudulent applications based on manipulated bank statements or false turnover claims to succeed.
Ongoing monitoring
Fraud prevention doesn't stop once an application has been approved. A range of monitoring tools continue to operate throughout the life of a loan.
Anti-Money Laundering (AML) monitoring
AML monitoring is the ongoing process of watching financial transactions for patterns that suggest money may be moving through a business for illegitimate reasons. Lenders look for things like unusually rapid movement of funds, transactions that don't fit the business's normal profile, and connections to high-risk jurisdictions. They also watch for indicators that a company may exist primarily on paper rather than trading genuinely. Where a transaction raises concern, lenders are legally required to submit a Suspicious Activity Report (SAR) to the National Crime Agency rather than simply declining to proceed.
Device, IP, and behavioural analytics
Modern fraud detection systems build a picture of how a genuine user behaves when they access a platform, and flag anything that deviates from it. This includes the device and location used to log in, the speed at which forms are completed, and patterns suggesting automated activity rather than a real person. These tools are particularly effective at identifying bot-driven application fraud, attempts to use stolen identities, and coordinated attacks where multiple fraudulent applications arrive in a short window.
AI and machine learning
Many lenders use machine learning models to detect fraud patterns across large volumes of applications in real time. These systems compare thousands of variables simultaneously and can identify document tampering, stolen identities, and application fraud that might not be obvious through manual review.
Post-disbursement monitoring
Fraud prevention doesn't stop once a loan is issued. Unusual repayment behaviour, such as a sudden change in repayment source, unexpectedly early repayments, or large outbound transfers, can trigger a review. For legitimate borrowers, this kind of monitoring is a safeguard. It helps protect your account from being misused and keeps the lending system trustworthy for everyone in it.
How we protect your data
Protecting your data properly takes robust technology, strict internal controls, and independent verification that those controls are actually working. Here's what that looks like at Capitalise.
Infrastructure and encryption
All data on the Capitalise platform is hosted on Microsoft Azure. Data is encrypted both when it's stored and when it's being transmitted. We use the same encryption standards required of banks and other regulated financial institutions under FCA rules. Access to the platform requires two-factor authentication (2FA). That means you need more than just a password to get in, which protects your account even if your login credentials were ever compromised. Our infrastructure uses Azure Kubernetes Service, a self-managing system that doesn't store temporary or volatile data, reducing the risk of exposure. All databases are backed up daily, with copies stored across multiple geographical locations so that your data can be recovered quickly if anything goes wrong.
Who can see your data
Access to data within the Capitalise platform operates on a strict need-to-know basis. This is sometimes called the principle of least privilege, and it means that people can only see the information they genuinely need to do their job. In practice:
Any third-party company that handles data on our behalf must pass a due diligence process confirming GDPR compliance. They must also sign a formal Data Processing Agreement before accessing any information.
Security certifications and testing
Independent validation matters. We don't just claim our security is robust. We have it tested and certified by external organisations. Capitalise holds Cyber Essentials certification, the UK government-backed standard for basic cyber security. Our infrastructure provider, Microsoft Azure, holds ISO 27001 certification, the internationally recognised standard for information security management. We regularly commission penetration testing from CREST-accredited organisations. These are specialists who are paid to try to find weaknesses in our systems before anyone else does. Any vulnerabilities identified are remediated promptly. Our engineering team uses Detectify and LogDNA for continuous threat monitoring. Unusual activity is flagged and investigated in real time rather than after the fact.
What happens if something goes wrong
We have a formal Breach Management Plan in place for any security incident. If a breach occurs, we investigate it immediately. Where a breach poses a high risk to users, we report it to the Information Commissioner's Office (ICO) within 72 hours, as required by GDPR.
Regulatory compliance
We operate within a strict regulatory framework. This isn't just a legal requirement. It's what ensures your data is handled to a consistently high standard.
The regulations we work within
Regulation | What it means for you |
UK GDPR and Data Protection Act 2018 | We collect and use your data fairly, lawfully, and transparently. You have clear rights over your data. |
Financial Conduct Authority (FCA) | We are a regulated broker, which means our practices are subject to FCA oversight. |
Money Laundering Regulations 2017 | We are required to verify identities and report suspicious activity to protect against financial crime. |
How long we keep your data
We don't hold your data for longer than necessary. For most information, retention periods are governed by our legal and regulatory obligations. Successful transactions are typically retained for up to seven years to meet FCA and HMRC requirements. Once the retention period has passed, data is securely destroyed.
Our internal compliance framework
Every member of the Capitalise team is required to follow our Golden Rules of Compliance. This is an internal framework covering how we treat customers, handle data, and respond to suspected financial crime. Staff complete compliance training regularly to stay current with their obligations.
Proactive risk management
Protecting data isn't a one time exercise. Threats evolve, systems change, and what worked last year may not be sufficient this year. We take a proactive approach to managing data risk, which means we're continuously looking for problems rather than waiting for them to appear. Our approach combines several layers of ongoing activity:
Your rights as a user
You have legal rights over your personal data under UK GDPR. At a minimum, these include:
Built on transparency
Applying for business funding requires sharing information, and we understand that requires trust. We collect data only where it's necessary, use it only to benefit your business, and share it only where required and with your consent. We protect it with infrastructure that meets FCA encryption standards, independent security testing, and a compliance framework built around GDPR and FCA requirements.
If you have a question about how your data is handled that isn't answered here, visit our help centre or speak to your Capitaliser account manager.
%3Aquality(80)%3Afill(transparent)&w=3840&q=75)
%3Aquality(80)%3Afill(transparent)&w=3840&q=75)
%3Aquality(80)%3Afill(transparent)&w=3840&q=75)