Privacy overview
Lending Agent Oversight is a supervisory workspace for FCA-authorised principal firms. Privacy in this product is set jointly by UK GDPR (which sets the floor for fair processing and minimisation) and FCA SYSC 9 (which sets the floor for retention of regulated records). The two regimes pull in opposite directions on retention and the product resolves the tension in favour of the regulatory floor for in-scope records, with documented data-minimisation around free-text fields.
This page sets the overall posture. The sibling pages drill into specific articles, the data flow, the DPIA template, the retention table, and the sub-processor list.
The principal firm is the data controller for personal data of its AR-individuals (the people working at each AR), for personal data of its own staff (the principal-admin and principal-compliance-officer users), and for personal data of customers that may incidentally appear in supervisory artefacts (file review evidence, complaint references). The principal firm decides the purposes and the means of processing.
The platform operator (the entity running Lending Agent Oversight as a SaaS) is the data processor for the personal data described above. Processing happens only on documented instructions from the principal firm, governed by an Article 28 data processing addendum.
For tenant-administrative data (the principal firm’s billing contact, the named principal-admin), the platform operator is the data controller in its own right.
Personal data in the workspace
Section titled “Personal data in the workspace”The product’s design minimises personal data in two ways: by limiting the fields collected, and by treating customer-facing artefacts as references rather than full records. Detail in data minimisation.
The personal data the workspace holds, in production:
| Field | Subject | Source | Lawful basis | Retention |
|---|---|---|---|---|
User.email, User.displayName | Principal-side staff and AR-individuals | Invitation flow | Article 6(1)(b) contract | 7 years after last regulated activity, then tombstoned |
AppointedRep.tradingName, AppointedRep.legalName, registeredOffice | AR firm | CSV import | Article 6(1)(c) legal obligation (SYSC 9) | 7 years after termination |
BreachReport.description, FileReview.notes, FileReviewFinding.evidence | May reference customers indirectly | AR-user or principal-side input | Article 6(1)(c) legal obligation (SYSC 9, SUP 15) | 7 years after Closed / Complete |
AuditEvent.actorUserId, ip, userAgent | Principal-side staff and AR-individuals | System | Article 6(1)(c) legal obligation | 10 years from at |
ConductEvent.detail, Attachment | May reference customers indirectly | AR-user input or upload | Article 6(1)(c) legal obligation | 7 years from occurredAt |
Customer PII (full name, date of birth, address, account numbers) is not collected as a structured field in v1. File-review evidence references customers by case reference only; the principal firm is expected to redact direct identifiers before pasting evidence into the workspace. The DPIA process the principal firm runs at adoption (DPIA) requires the firm to confirm this posture in writing.
Special-category data (UK GDPR Article 9: health, racial, religious, political, biometric, sex-life) is not processed by the platform. Vulnerable-customer indicators that may reveal health information are out of scope for v1 and are documented as a planned post-v1 workflow.
Lawful basis
Section titled “Lawful basis”Three Article 6 bases are in play. Detail in UK GDPR.
- Article 6(1)(c) (legal obligation). The principal firm is bound by FCA SYSC 9 to maintain adequate records of its supervisory activity, by SUP 15 to notify the FCA of material breaches, and by PS22/11 to maintain enhanced oversight of self-employed AR individuals. The legal obligation is on the firm; the workspace is the processor that supports compliance.
- Article 6(1)(b) (contract). The user’s contract with the principal firm (employment for staff, AR contract for AR-individuals) is the basis for sign-in identity, role assignment, and notification preferences.
- Article 6(1)(f) (legitimate interests). The composite risk score and its inputs (complaints density, breach severity sum, file-review score inverse, time since last review, MI anomaly score) rest on legitimate interests because the score is the firm’s own internal triage signal and is not used to make automated decisions affecting the AR or any customer.
The product does not make automated decisions in the Article 22 sense. The risk score informs human judgement; off-boarding, sign-off, and FCA notification are all human decisions taken by named regulated individuals.
Retention floor
Section titled “Retention floor”UK GDPR Article 5(1)(e) requires data to be kept no longer than necessary. Article 17(3)(b) carves out an exemption where processing is necessary for compliance with a legal obligation. FCA SYSC 9 imposes a record-keeping obligation on the principal firm; the relevant horizons are seven years for most supervisory records and longer for MiFID-overlay records where applicable.
The product’s defaults:
- Substantive entities (
AppointedRep,BreachReport,FileReview,MIReturn,AnnualReview,ConductEvent) retained for 7 years from the relevant trigger. AuditEventretained for 10 years, providing a three-year margin against the SYSC 9 floor and supporting evidential continuity in long-running enforcement.UserPII tombstoned at off-boarding (name and email replaced with stable opaque tokens;actorUserIdforeign keys preserved).
Detail in retention.
Data flow and sub-processors
Section titled “Data flow and sub-processors”The data path runs from the AR-individual or principal-side user through the workspace to Postgres, the audit log, and the off-platform durable copy in S3-compatible object storage. Transactional email goes via Postmark. Error monitoring (with PII scrubbing) goes via Sentry. Hosting is on Vercel. Detail in data flow and sub-processors.
International transfers are minimised. The default deployment is UK-region hosting on Vercel and an EU-region Postgres provider with UK Standard Contractual Clauses for any incidental US transfer (Sentry is the most common case). The DPIA covers transfer assessment.
PECR and cookies
Section titled “PECR and cookies”The workspace uses one strictly-necessary cookie (the session cookie). No analytics cookies, no marketing cookies, no third-party tracking. The PECR strictly-necessary exemption applies. Detail in PECR and cookies.
How to read this chapter
Section titled “How to read this chapter”Data flow is the diagram of who provides what to whom. UK GDPR sets out each Article that applies and how the platform supports it. DPIA is the template the principal firm completes at adoption. Data minimisation sets the field-level posture. Retention is the table verbatim. Sub-processors lists the third parties and their data-processing addendum status. PECR and cookies covers the cookie posture.