Privacy Notice – Scope

We take your privacy seriously and are committed to maintaining the trust and confidence of our clients, visitors to our website and subscribers to our newsletter. Maintaining the security of your data is critical and we have implemented measures to ensure your privacy rights are respected and applied. We commit to process your data fairly, legally and to be transparent about how we do so.

This notice, which applies wherever you use our services or use our website, explains our approach to data integrity and your individual rights. It does not apply to pages hosted by our referral partners, independent consultants, and associates. By applying for a Start Up Loan you consent to the collection, use and transfer of your information under the terms of this notice.

Put simply, we set out what we are going to do with your data in this Privacy Notice.
We ask you to read this Privacy Notice to ensure you are happy with the way that your data will be processed.

We ask you to confirm that you agree with our Privacy Notice when you enter into a loan application with us.

The processing of personal data is governed by the General Data Protection Regulation 2016/679 (GDPR).

The notice may change from time to time so please check for updates regularly. If you need further details or are unsure in any way, please contact us at

Who are we?

Startup Direct is a Limited Company registered in England, referred to as “Startup Direct,” “we,” “our,” or “us” in this notice.

Our registered number is 11637565.

Our registered office is at Northern Design Centre, Abbotts Hill, Baltic Business Quarter, Gateshead, NE8 3DF.

Startup Direct is a national delivery partner of the Start Up Loans Company, a Government-backed initiative which is part of the British Business Bank. Startup Direct is also a Transmit Group company which operates the Transmit Start-Ups brand, which is also a provider of the Start Up Loans programme.

In addition to the loan fund, we also provide free business planning support and post-loan mentoring for up to 12 months for all loan recipients.

As a Delivery Partner of the Start Up Loans scheme, we are both a data controller and a data processor, as defined by the GDPR. Startup Direct is a joint controller with the Start Up Loans Company. For applicants who apply via our website, your data is shared with Transmit Start Ups who will process your loan application, and the Start Up Loans Company, as per the requirements of the scheme and our contractual obligations. If you would like more information about how the Start Up Loans Company handle your personal data, please consult their Privacy Policy.

What personal information do we collect and process?

We collect and process your data in the following circumstances:

Transmit Start-Ups may collect the following information about you:

This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this notice. Some of the above personal data is collected directly, for example when you engage with us. Other personal data is collected indirectly, for example your browsing activity. We may also collect personal data from third parties who have your consent to pass your details to us, or from publicly available sources.

Why do we collect and process your personal information?

We only collect and process the information needed to effectively provide our services to you when applying for a Start Up Loan, as well as for contact and communication purposes.

We will use your personal information as part of the reporting process we have agreed with our partner organisations.

We provide reports on our activity as per agreements with organisations for whom we deliver programmes.

How is your personal information used?

We use your personal data:

Certain types of personal information, such as gender and ethnicity, are used only as part of our contractual reporting requirements, for the purposes of monitoring and promoting equal opportunities.

The lawful basis for processing your personal information

Legitimate interest
We may collect, hold and process your personal data on the basis of legitimate interest where it is necessary in order for us to fulfil our needs as a business and to be able to provide you with our services, including, but not limited to:

We collect, hold, and process your personal data on the basis that you give us consent when you accept this Privacy Notice.

We will seek your consent to hold and process your data when you sign up to our mailing list or we need to ask for any sensitive data as part of the application process. If you chose not to sign up to our mailing list we will still communicate with you when necessary as part of our contractual obligations.

You remain in control of the personal data you share with Startup Direct. You can change your preferences at any time, by choosing whether you want to give consent to your data being processed for specific types of communication and / or communication channels.

Vital interest
We may use your personal information to contact you if we reasonably believe that the processing of your personal data will prevent or reduce any potential harm to you. This type of notification is in your vital interest.

Legal Obligation
We may use and process your personal data to comply with our legal obligations such as HMRC requirements, if it is genuinely needed for law enforcement, to identify you as an individual if you contact us, or to verify the accuracy of your data.

Who we share your personal information with

Our service providers and suppliers
In order to make certain services available to you, we may need to share your personal data with some of our service partners. These include HMRC, cloud storage and IT providers.

Startup Direct only allows its service providers to handle your personal data when we have confirmed that they apply appropriate data protection and security controls. We also impose contractual obligations on service providers relating to data protection and security, which mean they can only use your data to provide services to Startup Direct and to you, and for no other purposes.

Our partners in the Start Up Loans programme
When making an application for a Start Up Loan we will share your personal information with our partners who deliver the Start Up Loans programme.

The Start Up Loans Company
The Start Up Loans Company (SULC) are part of the British Business Bank and manage the Start Up Loans programme nationally. SULC are able to access all of the personal information you provide to Startup Direct and your application is also covered by their Privacy Notice.

The Enterprise Fund t/a GC Business Finance
The Enterprise Fund t/a GC Business Finance are our finance partner in delivering the Start Up Loans programme. When you are approved for a loan your personal details are passed to them to enable a loan agreement to be drawn up and for the loan to be paid to you. GC Business Finance will also use your personal details to contact you about loan repayments. Their agreement and Privacy Notice will set out the terms.

Associate Business Advisors
If we engage an associate business advisor to work with you on your application, we will need to share your personal information as part of that process. All of our Associate Business Advisors operate within the terms set out in this Privacy Notice, and have undergone a substantial due diligence and induction process.

When you receive a loan from us we will offer you the services and support of one of our experienced business mentors. A separate agreement will be issued containing the details of this relationship. Your mentor will only have been provided with your personal information when you have both agreed to enter into the relationship and wish to be contacted.

Other third parties
Aside from our service providers, we will not disclose your personal information to any third party unless we are legally obliged to do so, or you provide your consent for us to do so (for example to access third party resources). We will never sell or rent our customer data to other organisations for marketing purposes.

Examples of where we may be legally obliged to share your personal information include:

  • Credit reference agancies;
  • Governmental bodies, regulators, law enforcement agencies, courts/tribunals and insurers where we are required to do so;
  • Protecting customers, employees and other individuals and maintaining their safety, health, and welfare;
  • To comply with our legal obligations;
  • To exercise our legal rights (for example in court cases);;
  • For the prevention, detection, investigation of crime or prosecution of offenders; and;
  • For the protection of your employees and customers.
  • Credit reference and fraud prevention agencies

    When you apply for a loan, any of the services we provide, or that we provide on behalf of SULC we and SULC will check our own records for information about you and may also carry out a search through credit reference agencies on you.
    Credit reference agencies collect and maintain information about consumers’ and businesses’ credit behaviour. This includes Electoral Register, fraud prevention, and credit information (including details of previous applications and the conduct of your bank accounts) and public information such as County Court Judgements, decrees, and bankruptcies. Credit reference agencies may form a link between any previous or subsequent names that you use in the records they hold about you.

    Credit reference agencies collect and maintain information about consumers’ and businesses’ credit behaviour. This includes Electoral Register, fraud prevention, and credit information (including details of previous applications and the conduct of your bank accounts) and public information such as County Court Judgements, decrees, and bankruptcies. Credit reference agencies may form a link between any previous or subsequent names that you use in the records they hold about you.

    How we use information from credit reference agencies
    The information that we and/or SULC and other organisations provide to credit reference agencies about you, your financial associates and your business (if you have one) may be provided to other organisations and used by them and us to:

    If we and/or the Start Up Loans Company need to make a credit decision when you apply for a loan or to review the amount of credit we provide under an existing agreement, your records will be searched, along with those of anyone who is financially associated with you such as your spouse or partner. The credit reference agency will keep a record of this search and place a “footprint” on your credit file, whether or not your application proceeds.

    We and/or the Start Up Loans Company may give details of your loan account and how you conduct it to credit reference agencies, including if you borrow and do not repay in full and on time. If you fall behind with your payments and a full payment or satisfactory proposals are not received within 28 days of a formal demand being issued, then a default notice may be recorded with the credit reference agencies. Any records shared with credit reference agencies will remain on file for 6 years after your loan account is closed, whether it has been settled by you or as a result of a default. Other organisations may see these searches and updates if you apply for credit in the future, and these may affect your ability to borrow from other lenders.

    You have a right to apply to the credit reference agencies for a copy of your file.

    We and the Start Up Loans Company carry out most of our credit searches using Experian, but details of how you have run your loan account may be disclosed to all the credit reference agencies. The information they hold may not be the same and there is a small fee that you may need to pay to each agency that you apply to. Their details are:

    We and the Start Up Loans Company have processes and systems that protect our customers and ourselves against fraud and other crime. Customer information can be used to prevent crime and trace those responsible. We will share your personal information from your application with fraud prevention agencies. If false or inaccurate information is provided and fraud is identified, details of this fraud will be passed to these agencies. Law enforcement agencies may access and use this information. We and other organisations may also access and use this information to prevent fraud and money laundering, for example when:

    We and other organisations may access and use from other countries the information recorded by fraud prevention agencies.

    Further information to explain credit can be obtained on the ICO website.

    Where your personal information is stored

    Your information is stored on dedicated hardware used by Transmit Start-Ups and all data is held and backed up within the UK or EU, or is covered by the EU-US Privacy Shield Framework.

    We use Dropbox for Business for the storage of electronic files.

    Where you communicate with us by email, we may store copies of the emails. Our email service is provided through Google G Suite.

    We use a cloud-based Customer Relationship Management (CRM) system, Capsule, and a cloud-based task management system, Monday, that allow us to manage and record our work with clients in an efficient manner.

    Your personal information will also be uploaded and stored on the systems our partners The Start Up Loans Company and The Enterprise Fund t/a GC Business Finance require us to use when processing your loan application.

    How we keep your personal information secure

    We are committed to keeping your personal data safe and secure.

    Our security measures include:

    Only authorised and trained personnel can access your personal information if required to do so as part of their legitimate job role.

    How long we keep your personal information

    We will not retain your data for longer than necessary for the purposes set out in this notice.

    We are required by law to keep some information for a minimum period of time e.g. financial information for tax purposes.

    Different retention periods apply for different types of data, however the longest we will normally hold any personal data is 7 (seven) years. Where there is no legal requirement we will retain personal information for only as long as necessary to deliver our services and respond to any subsequent communications.

    The following retention periods apply to applicants:

    You are able to update, amend or request deletion of your personal information at any time (see below).

    Automated decision making, including profiling

    We may retain some data for reporting and statistical purposes however this will only occur after removing all personal information that would allow an individual to be identified. This is called anonymisation.

    Startup Direct do not engage in any profiling activity.

    When do we collect your information?

    Website forms
    Our website has forms built using Gravity Forms. When you use our contact forms, the information is sent to one of our email accounts, so that we can correspond with you. Your personal data will be stored in the website’s database and will be automatically deleted from here after five years. Your data is encrypted with the Gravity Forms Encrypted Fields plugin before it is saved to the database.

    Mailing list
    When you subscribe to our newsletter we collect your email address and name so that we can correspond with you. Your personal data will be stored in MailChimp, the application we use to send our newsletters. You can request to be removed anytime by clicking ‘unsubscribe’ in any newsletter/mailout or by contacting us.

    Online data management (analytics and security)

    When someone visits our website, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.

    We collect information about your computer and about your visits to and use of this website (including your IP address, geographical location, browser type, referral source, length of visit, entry and exit points and the number of page views).

    We do this to find out things such as the number of visitors to the various parts of the site.

    This information is only processed in a way which does not identify anyone.

    We do not make and do not permit Google to make, any attempt to find out the identities of those visiting our website.

    If we do ever want to collect personally identifiable information through our website, we will be upfront about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

    Website security and backups
    Our website has HTTPS encryption via a Let’s Encrypt SSL certificate to ensure any data passed between your browser and the web server (where this website is hosted) is encrypted. When you are on a secure page, a lock icon will appear on the bottom of web browsers such as Microsoft Internet Explorer.

    This website and its database are automatically backed up every day using a third-party service ManageWP. Backups are stored for 90 days in the EU Region.

    Links to Other Web Sites
    This Privacy Notice does not cover the links within our site linking to other websites. Those sites are not governed by this Privacy Notice, and if you have questions about how a site uses your information, you’ll need to check that site’s privacy information.


    Like most websites, the Startup Direct website uses cookies to collect information. Cookies are small data files which store information on your browser, your computer or other connected devices (such as smart phones or tablets). Cookies allow us to recognise that you have visited our website previously. Cookies are essential for the effective operation of our website, they make it easier for you to maintain your preferences on our website and improve your web browsing experience.

    The cookies stored on your browser, computer or other device when you access our websites are designed by Startup Direct, or on behalf of us, and are necessary to improve your use of our site.

    Some cookies collect information about browsing behaviour when you access this website via the same browser, computer or device. This includes information about pages viewed and your journey around a website. We do not use cookies to collect or record information on your name, address or other contact details.

    A cookie often includes a randomly generated number which is stored on your device. Many cookies are automatically deleted after you finish using the website.

    Use of Cookies

    This website does not store any information that would, on its own, allow us to identify individual users of this service without their permission. Any cookies that may be used on this website are used either solely on a per session basis or to maintain user preferences. Cookies are not shared with any third parties.

    The main purposes for which cookies are used are:

    Types of cookies that may be used during your visit to the website are listed below:

    Cookie NameExpirationWhat It Does
    _ga2 yearsUsed to identify users.
    _gid24 hoursUsed to distinguish users.
    _gat1 MinuteUsed to throttle request rate. More info.
    __cfduid5 yearsThe “__cfduid” cookie is set by the CloudFlare service to identify trusted web traffic. It does not correspond to any user id in the web application, nor does the cookie store any personally identifiable information. More info
    fr3 MonthsThis cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising.
    _fbpSessionThis cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising.
    test_cookieSessionThis pixel Used to check if the user’s browser supports cookies.

    How do I disable cookies?

    Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third-party cookies.

    How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below. Please be aware that blocking all cookies will, however, have a negative impact upon the usability of many websites, including ours.

    Microsoft Internet Explorer
    1. From the Tools menu, select Internet Options.
    2. Click on the Privacy tab.
    3. Select the appropriate settings.

    Google Chrome
    1. Choose Settings> Advanced
    2. Under “Privacy and security,” click “Content settings”.
    3. Click “Cookies”

    1. Choose Preferences > Privacy
    2. Click on “Remove all Website Data”

    Mozilla Firefox
    1. Choose the menu “tools” then “Options”
    2. Click on the icon “privacy”
    3. Find the menu “cookie” and select the relevant options

    Opera 6.0 and further
    1. Choose the menu Files”> “Preferences”
    2. Privacy

    International transfers

    To deliver a full range of services to you, it may be necessary for us to share your data outside of the European Economic Area. This will typically occur when service providers are located outside the EEA or if you are based outside the EEA. These transfers are subject to special rules under GDPR.

    If this happens, we will ensure that the transfer will be compliant with data protection law and all personal data will be secure. Our standard practice will be to use ‘standard data protection clauses’ which have been approved by the European Commission for such transfers. Those clauses can be accessed on the European Commission website.

    How you can help protect your personal information

    If you are using a computing device in a public location, we recommend that you always log out and close the website browser when you complete an online session.

    In addition, we recommend that you take the following security measures to enhance your online safety:

    Keep your account passwords private. Remember, anybody who knows your password may be able to access your account.
    When creating a password, use at least 10 characters. A combination of letters, symbols and numbers is best. Try not to use easy to guess words, your name, email address, or other personal data that can be easily obtained. We also recommend that you frequently change your passwords.
    Avoid using the same password for multiple online accounts.

    Your rights in respect of the personal information we hold

    We fully support and facilitate the ability of people to exercise their rights in respect of the personal information supplied to others.

    If you wish to correct, complain, object or otherwise control the data we hold please contact us and we will respond accordingly.

    Please contact us if you have any questions about how your personal information is being used or if you are unhappy about our service or anything we do. We will do our best to resolve the issue.

    An overview of your different rights

    You have the right to request:

    Whenever you have given us your consent to use your personal information, you have the right to change your mind at any time and withdraw that consent.

    Where we rely on our legitimate interest
    In cases where we are processing your personal information on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal information.

    Direct marketing
    You have the right to stop the use of your personal information for direct marketing activity through all channels, or selected channels. We must always comply with your request.

    How you can access the personal information we hold
    You can access a copy of the personal information we hold by submitting a Subject Access Request to us using the contact details below.

    We will respond to as soon as possible, and in any event, within one month of verifying the request.

    To protect the confidentiality of your personal information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

    Getting in touch with us

    We can be contacted at:

    Northern Design Centre
    Abbotts Hill
    Baltic Business Quarter
    NE8 3DF

    Phone on: 0333 355 4886


    The Supervisory Authority in the UK

    The Supervisory Authority in the UK is the Information Commissioners Office (ICO).

    Startup Direct Limited can be found on the Data Protection Register. The registration number is ZA487073.