Privacy Policy
Elveden Capital Limited · Last updated 17 May 2026 · Version 1.0
This Privacy Policy explains how Elveden Capital Limited ("Elveden", "we", "us") collects, uses, stores, and protects personal data when you use the Elveden Capital development finance portal (the "Portal") at ims.elvedencapital.com.
We are the data controller for personal data processed through the Portal and are committed to handling that data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Elveden Capital Limited, a company registered in England and Wales.
Contact for any privacy matter: info@elvedencapital.com
2. What personal data we collect
We collect and process the following categories of personal data:
- Account information — full name, work email address, role on the platform, hashed password, multi-factor authentication enrolment.
- Professional identifiers — firm name, profession or trade, Companies House number, VAT number, UTR, NINO (where applicable for CIS), professional indemnity insurance details.
- Contact information — business phone number, registered address.
- Compliance documents — identity verification documents, AML / KYC evidence, professional insurance certificates, accreditation certificates, and any documents you upload to the Portal in support of compliance obligations.
- Transaction and project data — consultant appointments, invoices, payment applications, payment certificates, drawdowns, project stage progress, defects, variations, retention positions, and bank reconciliation data.
- Audit and security data — sign-in times, IP addresses associated with authentication, audit-log entries for every state change you initiate, MFA challenge outcomes.
- Communications — emails sent and received through the Portal, in-app notifications.
3. Why we process your data and the legal bases
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Providing the Portal: account management, project administration, payment certification, drawdowns. | Performance of a contract (Art. 6(1)(b)) and/or our legitimate interests (Art. 6(1)(f)) in operating the platform. |
| Statutory recordkeeping for payments under the Housing Grants, Construction and Regeneration Act 1996 (HGCRA), JCT contracts, CIS, HMRC, and CDM 2015. | Compliance with a legal obligation (Art. 6(1)(c)). |
| Anti-money-laundering checks, sanctions screening, AML / KYC review. | Compliance with a legal obligation (Art. 6(1)(c)) under the Money Laundering Regulations 2017. |
| Security, fraud prevention, and audit-log retention. | Legitimate interests (Art. 6(1)(f)) in maintaining the integrity of the Portal and protecting users. |
| Sending transactional emails (account invitations, password resets, board-approval notifications, drawdown alerts). | Performance of a contract (Art. 6(1)(b)). |
We do not use your data for marketing or advertising, and we do not sell or rent personal data to third parties.
4. Who we share your data with
We share personal data with the following categories of recipient, each acting as a separate controller or as our processor under a written agreement:
- Supabase Inc. — our database and authentication processor. Data is hosted in the European Union.
- Netlify, Inc. — our content delivery network for the Portal's static assets.
- Resend, Inc. — our transactional email provider.
- HM Revenue & Customs (HMRC) — for CIS subcontractor verification and VAT-number lookups, where you have entered the relevant data.
- Companies House — for company-number verification on registered vendors.
- Development finance lenders, monitoring surveyors, employer's agents, and warranty providers — where you are a counterparty to a project that has granted them scoped access.
- Professional advisers — legal, accounting, and audit advisers, where engagement requires.
- Regulators and law enforcement — where required by law or to comply with a binding legal request.
5. International transfers
Our primary hosting is within the European Economic Area (EEA). Where any sub-processor (such as a transactional email provider) operates outside the EEA or the United Kingdom, we rely on the UK International Data Transfer Agreement or the equivalent Standard Contractual Clauses to safeguard transfers.
6. How long we keep your data
Retention reflects the statutory recordkeeping obligations of UK construction finance:
- Account information — for the duration of your access plus 6 years after the closure of your last associated project, in line with the Limitation Act 1980.
- Payment-certification, drawdown, and audit-log records — retained for 12 years, mirroring the typical limitation period for deed-executed contracts.
- AML / KYC records — retained for 5 years after the end of the business relationship, under the Money Laundering Regulations 2017.
- Document store — documents anchored to a project carry the same retention as that project's record set.
Records are securely deleted or anonymised at the end of the retention period.
7. Your rights
Under UK GDPR you have the right to:
- request a copy of the personal data we hold about you (Right of access);
- request correction of inaccurate or incomplete data (Right to rectification);
- request erasure of personal data, subject to our statutory retention obligations (Right to erasure);
- restrict or object to processing (Rights to restriction and objection);
- request your data in a portable, machine-readable form (Right to data portability);
- withdraw consent, where consent was the basis for processing.
To exercise any of these rights, contact info@elvedencapital.com. We will respond within one month of a valid request.
8. Cookies and similar technologies
The Portal uses a small number of strictly necessary cookies for authentication and session management. We do not use advertising or third-party analytics cookies on this Portal.
9. Security
We protect your data with a layered set of controls including transport-layer encryption (TLS) for all traffic, row-level security on the database, multi-factor authentication for users handling financial actions, immutable audit logs on critical state changes, and access-controlled document storage. Sub-processors are contractually bound to equivalent standards.
10. Children
The Portal is not intended for, and we do not knowingly collect data from, anyone under 18.
11. Complaints
If you believe we have processed your personal data unlawfully, you may complain to the UK Information Commissioner's Office at ico.org.uk or by telephone on 0303 123 1113. We would, however, appreciate the opportunity to address your concerns first — please contact us at info@elvedencapital.com.
12. Changes to this policy
We may update this Policy from time to time to reflect changes to the Portal or to UK GDPR guidance. The "Last updated" date at the top of this page indicates the date of the most recent revision. Material changes will be communicated by email to registered users.