Skip to content

Cynergy Business Finance

Privacy Policy

This Privacy Policy applies to personal data held by members of the Cynergy Bank Group as data controllers who will determine how your personal data is processed – the decision makers.

Personal data is information that, on its own or when combined with other details that we have or which is available to us, can be used to identify you.

We’ll explain what we do with the personal data we collect about you or that you provide to us.

For the purposes of this Privacy Policy, the following definitions apply

  • “Cynergy Bank Group” means Cynergy Bank Limited and its group entities;

  • “Bank of Cyprus Group” means Bank of Cyprus Public Company Limited and its group entities.

The following Cynergy Bank Group companies will act as a data controller where you hold a product or service with them or contact them for information on a product or service. You can check your product documentation. Any references to “we, us, our” means either:

  • Cynergy Bank Limited - registered in England and Wales as company number 04728421.

  • Cynergy Business Finance Limited - registered in England and Wales as company number 13322121.

Please note that Cynergy Business Finance Limited is a subsidiary of Cynergy Bank Limited and your personal data may be passed to Cynergy Bank for reporting purposes.

Cynergy Business Finance Limited

Please note that if you are looking to use data extraction services, your data will be passed between Dancerace and Xero which may involve processing of your data by certain third party processors appointed by Dancerace and the transfer of your data outside the EEA. More information can be found on:

If you applied for a Coronavirus Business Interruption Loan (CBILS) or Recovery Loan Scheme (RLS) with Cynergy Bank Limited, please note the following:

You will need to refer to the Data Protection and Disclosure Declaration form provided to you for more details on the processing of your Personal Data, in addition to this Privacy Policy.

If you have any questions, you can also get in touch with us using the contact details at the end of this privacy policy.

Categories of Personal Data that we process

Here are the types of personal information we typically collect when you apply for any product with us:

Financial Details

including information about your income like your salary;

Contact Information

your title, name, home address and address history as well as contact details such as telephone and mobile numbers and email address

Identification Numbers

National Insurance number and Tax Identification number (TIN) for identification purposes including understanding if you are registered for tax purposes. This could be in relation to Individual Savings Accounts (ISA's) or for example, if you are a director of a company applying for a business account

Date of Birth

To confirm your age

Proof of Residency

documents like utility bills and passport information to confirm where you live

Employment Information

we'll need to know if you're working and details about your employer

Online Account Data

if you're setting up an online account, we may collect information like your IP and MAC address if it's relevant

Data from Third Parties

sometimes, we get information about you from other sources, like credit reference agencies (if you apply for things like overdrafts or credit facilities), fraud prevention agencies, publicly available sources like the electoral roll, and sometimes records of debt judgments and bankruptcy information. You can find more about this in the Credit Reference Agencies section

Other Information

anything else you tell us or our agents during the application process

Joint applicants

If you're applying for a financial product with another person, like a joint account or loan, you need to share this privacy notice with them. They should know that you're giving us permission to use their information for the purposes mentioned here. If necessary, they should also agree to let us process their personal details.

If you are someone interested in our services, even if you’re not a customer yet, or if you’re involved in a financial transaction with one of our customers (e.g. account or payment authorisation) or if you’re acting as a security provider (e.g. a guarantor for a loan) or if you’re an authorised representative/agent or beneficial owner of a legal entity or of a natural person who might become our customer, here’s the kind of personal data we may collect:

Name, address, contact details (telephone, email), EU basic payment account identification, birth date, place of birth (city and country), marital status, employed/self-employed, if you hold/held a prominent public function (for PEPs), FATCA / CRS info and authentication data.

Current Account applications

When you apply for a Current Account we will require current income and expenses, employment position and history, property ownership and personal debts, number of dependent children, personal investments and investment income, other banking relationship details, tax residence and tax ID, credit reference agency data, residence or work permit in case of non-EU nationals.

For individuals who will be providing their personal guarantees, the Bank will request personal data disclosing their economic and financial background and credit reference agency data.

Children's data

We understand the importance of protecting children's privacy therefore, we only collect children’s personal data if we have obtained their parents' or legal guardian's consent or unless otherwise permitted under law. We do not provide any online services to children but we may allow children, with their parents' or legal guardian's consent, to access accounts opened for their benefit on the Bank's online banking system in order to view their account balances. For the purposes of this privacy statement, "children" are individuals who are under the age of eighteen (18) years.


When you apply for a mortgage we will require current income and expenses, employment position and history, property ownership and personal debts, number of dependent children, personal investments and investment income, life insurances (life insurance companies, policy numbers, current surrender values), other banking relationship details, tax residence and tax ID, residence or work permit in case of non-EU nationals.

When a mortgage intermediary processes your personal data on our behalf, this Privacy Policy will apply and you should contact us to exercise your rights under data protection laws. When a mortgage intermediary processes your personal data as a data controller in its own right, its own privacy notice will apply and you should ask them for a copy if you do not have one by the time you are introduced to us.

Identity Checks

We carry out credit and identity checks when you apply for a product or services for you or your business. See our section on Credit Referencing Agencies for more information. Some of our identity checks will be done by Jumio Corporation, based in California, USA so we need to share your personal data with them. Please see the section on the Transfer of your personal data to a third country or to an international organisation below. Such personal data can include:

  • Name

  • Date of birth

  • identification image – including a ‘selfie’ image and identity photo documents such as a driving license

  • Email address

  • IP address

For more information on how Jumio Corporation processes your data, please visit:

Please also see the section below on Automated Decision Making and Profiling.

Credit Reference Agencies

We may share your personal data with Credit Reference Agencies and this may be carried out on a different basis depending on the type of product. We will inform you when a search will result in an entry on your credit file.

Data exchanged can include:

  • Name, address and date of birth

  • Credit application

  • Details of any shared credit

  • Financial situation and history

  • Public information, from sources such as the electoral register and Companies House.

We'll use this data to:

  • Verify your identity and your address when you apply for a product or service for you or your business

  • Carry out credit checks and assess whether you or your business is able to afford to make repayments

  • Make sure what you've told us is true and correct

  • Help detect and prevent financial crime

  • Manage accounts with us

  • Trace and recover debts

  • Obtain information about you such as missed payments on other accounts you hold

  • Make sure that we tell you about relevant offers (where you have consented to this); and

  • Ensure any offers provided to you are appropriate to your circumstances (where you have consented to this).

The Credit Reference Agencies may give this information to other organisations that want to check your credit status. You can find out more about the Credit Reference Agencies on their websites, in the Credit Reference Agency Information Notice (CRAIN) which sets out how your data will be processed by Callcredit, Equifax and Experian and their privacy notices.

Joint Applicants and Businesses

If you apply for a product with someone else, we will link your records with theirs. This includes a spouse, partner, civil partner or business partners. These links will stay on your files unless one of you asks the Credit Reference Agencies to break the link. You will normally need to give proof that you no longer have a financial link with each other.

When Credit Reference Agencies receive a search from us they will place a search footprint on your credit file that may be seen by other lenders and those that you apply with. It is important that they know your records will be linked together, and that credit searches may be made on them so you should tell them before applying.

We will go on sharing your personal data with Credit Reference Agencies for as long as you are a customer and will include details:

  • of your repayments and whether you repay on time

  • about your settled accounts and any debts not fully repaid on time;

  • of funds going into the account and the account balance.

Fraud Prevention Agencies

We may need to confirm your identity before we provide products or services to you or your business. Once you have become a customer of ours, we will also share your personal data as needed to help detect fraud and money-laundering risks. We use Fraud Prevention Agencies (FPA) such as CIFAS and National Hunter to help us with this, and if false or inaccurate information is provided and fraud identified, details will be passed to Fraud Prevention Agencies to prevent money laundering.

Both we and Fraud Prevention Agencies can only use your personal data if we have a proper reason to do so. It must be needed either for us to obey the law, or for a ‘legitimate interest'.

A legitimate interest is when we have a business or commercial reason to use your information. This must not unfairly go against what is right and best for you.

We will use the information to:

  • Confirm your identity

  • Help prevent fraud and money-laundering

  • Fulfil any contracts you or your business has with us

We or a Fraud Prevention Agency may allow law enforcement agencies to access your personal data. This is to support their duty to detect, investigate, prevent and prosecute crime.

FPAs can keep personal data for different lengths of time. It is up to six years if they find a risk of fraud or money-laundering.

The information we use:

  • Name

  • Date of birth

  • Residential address

  • History of where you have lived

  • Contact details, such as email addresses and phone numbers

  • Financial data

  • Data relating to your or your business products or services

  • Employment details

  • Data that identifies computers or other devices you use to connect to the internet. This includes your Internet Protocol (IP) address

Why we process your personal data and on what legal basis

We are committed to protecting your privacy and handling your data in an open and transparent manner and as such we process your personal data in accordance with the Data Protection Act 2018 for one or more of the following reasons:

  1. Performance of a Contract: We process your data to carry out banking transactions and offer financial services. This includes completing our acceptance procedure to enter into a contract with you. The specific purpose depends on the product or service, and you can find more details in the product terms and conditions.

  2. Compliance with Legal Obligations: We have to follow various laws and regulations, such as UK banking law, money laundering laws, tax laws, deposit guarantee protection laws, and various payment scheme rules. We're also subject to the rules of supervisory authorities. To meet these obligations, we process personal data for purposes like credit checks, identity verification, compliance with court orders, tax or other reporting, and anti-money laundering controls.

  3. Safeguarding Legitimate Interests: Sometimes, we process your data based on our or a third party’s legitimate business interests. However, this must be done in a way that doesn't harm your rights and interests. Examples of such processing activities include:

    1. Initiating legal claims and preparing our defence in litigation procedures

    2. Means and processes we undertake to provide for the Bank's IT and system security, preventing potential crime, asset security, admittance controls and anti-trespassing measures

    3. Setting up CCTV systems, e.g. at ATMs, for the prevention of crime or fraud

    4. To adhere to best practice, rules and requirements of bodies such as HM Revenue and Customs (HMRC); the Financial Conduct Authority; the Prudential Regulation Authority; the Financial Ombudsman Service; the Information Commissioner's Office; the Financial Services Compensation Scheme

    5. Measures to manage business and for further developing products and services,

    6. Sharing your personal data to other companies in the Bank of Cyprus Group where we have a contractual requirement to do so following our separation from the Bank of Cyprus Group

    7. Our own and risk management

    8. The transfer, assignment (whether outright or as security for obligations) and/or sale to one or more persons (including the Bank of England) of and/or charge and/or encumbrance over, any or all of the Bank's benefits, rights, title or interest under any agreement between the customer and the Bank.

  4. Consent:

    1. In some cases, we process your data because you've given us your consent. You have the right to withdraw this consent at any time, but it won't affect any processing that occurred before you withdrew your consent. Examples of when we process data with your consent are:

    2. When you request us to share your data with someone else

    3. When you indicate you wish to receive direct marketing from us

    4. For some special categories of Personal data such as data regarding your health or if you have special circumstances which may require us to tailor how we communicate with you; in such circumstances we will explain to you when we ask for your consent what purpose and how we will use your data.

  5. Substantial Public Interest: We may process data for substantial public interest reasons under applicable laws. This helps us fulfill broader social obligations, such as processing health-related information or tailoring our communication with you based on special needs. It also helps us meet our legal and regulatory obligations.

Recording our calls

We regularly record and monitor our telephone calls to help:

  • improve customer service

  • meet our legal and regulatory requirements

  • answer your queries and issues

  • detect and prevent fraud and/or other crimes

Social media and other public websites

You may find us on social media websites including (but not limited to) LinkedIn, Twitter and YouTube. We use these websites to provide news about us and any upcoming events. We may also appear on other public websites including (but not limited to) Trustpilot.

If you engage with us on any website, please note this will become public information, therefore, do not share your personal account information on any of the websites, including through the use of private messages as we cannot guarantee how secure they are.

Any information that you provide us with on social media web pages may be retained by the website for longer than your relationship with us.

Please note we will not put any of your personal data on social media or any other public website.

Text Message (SMS) and Push Notifications

We will send you text messages and push notifications (messages that pop up on mobile devices) and through new methods that may become available in the future.

Text Messages

We will send you a text message to your mobile device allowing you to verify your identity (authentication) and access the service when you first register for online banking/mobile banking. We may send you text messages in limited circumstances for example, if we are required to do so for regulatory reasons.

There are additional services you can request to receive via text message alerts for example, daily balances, transaction alerts, mini statements. The availability of these services will depend on the type of account you have and you should refer to your product conditions for more information.

Push Notifications

Push notifications allow us to directly send you a notification to your mobile device allowing you to verify your identity (authentication) and access the service. We may do this in the following circumstances:

  • when you first register for online banking/mobile banking; and

  • every time you initiate a banking process such as making a payment, or withdrawing funds.

Who receives your personal data?

In the course of the performance of our contractual, statutory, legal or regulatory obligations or if you have given your consent, your personal data may be provided to:

  • various departments within the Cynergy Bank Group; and the Bank of Cyprus Group where we have a contractual requirement to do so following our separation from the Bank of Cyprus Group

  • Supervisory and other regulatory and public authorities where a statutory obligation exists e.g.:

    • the Financial Conduct Authority (FCA)

    • the Prudential Regulation Authority (PRA)

    • Bank of England

    • the Financial Ombudsman Service (FOS)

    • the Financial Services Compensation Scheme (FSCS)

    • European Central Bank where we have a contractual requirement to do so following our separation from the Bank of Cyprus Group.

  • Credit and financial institutions such as correspondent banks and the British Business Bank plc

  • Share and stock investment and management companies

  • Valuers and surveyors

  • Non-performing loan management companies

  • External legal firms

  • Financial and business advisors

  • Auditors and accountants

  • Marketing companies (where you have provided consent) and market research companies

  • Companies which help us to provide you with debit, cards such as Visa and process those payments

  • Credit Reference Agencies and Fraud Prevention Agencies as explained above

  • File storage companies, archiving and/or records management companies, cloud storage companies

  • Companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support and facilitating payments

  • Purchasing and procurement and website and advertising agencies

  • Potential or actual purchasers and/or transferees and/or assignees and/or charges (including the Bank of England FLS) of any of the Bank's benefits, rights, title or interest under any agreement between the customer and the Bank, and their professional advisors, service providers, suppliers and financiers

  • Receivers

  • Debt Collection Agencies

All data processors appointed by us to process personal data on our behalf are bound by a contract imposing confidentiality and data protection obligations including compliance with the Data Protection Act 2018 or GDPR.

Transfer of your personal data to a third country or to an international organisation

Whilst we are based in the UK sometimes it's necessary to transfer information outside the UK. Data transferred within the European Economic Area (EEA) is protected by European data protection standards. Some countries outside the EEA do not have adequate protection for personal data under laws that apply. We will therefore make sure that adequate protection is in place before data is transferred in such circumstances.

Automated decision-making and Profiling

We may process some of your data automatically in limited circumstances, with the goal of assessing certain personal aspects (profiling), in order to enter into or perform a contract with you.

In the following cases, an individual review will be completed before a final decision is made:

  • Data assessments (including on payment transactions) are carried out in the context of combating money laundering and fraud. An account may be detected as being used in a way that is unusual for you or your business. These measures may also serve to protect you.

    • We use a detection system that computes a risk score and a decision. It may include (but not limited to) running algorithms and location (IP address), user behaviour metrics (comparing traits adopted by fraudsters or behavioural trends which do not match your usual activity), your network connection and checks against fraud & malware databases. If it is determined that there is a risk, you may be denied access to your online banking/mobile banking or asked to perform extra authentication, your account may also be frozen.

  • Credit scoring is used as part of the assessment of your creditworthiness. This calculates whether you or your business will meet your payment obligations pursuant to a contract. This helps us make responsible lending decisions that are fair and informed.

Identity checks

A decision to process your application may be made without human involvement and based on technological means. This will occur where the photo on an identity document is compared with a ‘selfie’ to verify the person making the application is the owner of the identity document. See Identity Checks above for more information.

Please note you can object to automated decision making by not consenting to this privacy policy; however, you will not be able to take out a product or service with us. This is because we have a contractual necessity and legitimate interest for the purposes of complying with our regulatory requirements to carry out due diligence on customers/transactions and prevent fraud.

If you have provided consent and wish to withdraw it, you can do so but note that this may limit your ability to use our products and services and may result in the closure of your account(s).

Marketing activities and surveys


We may process your personal data to tell you about products, services and offers that may be of interest to you or your business but only if you have provided explicit consent to do so and only via the method(s) you have requested e.g. post, email etc.

The personal data that we process for this purpose consists of information you provide to us and data we collect and/or infer when you use our services, such as information on your transactions. We analyse this information to better understand your needs and interests.

You have the right to object at any time to the processing of your personal data for marketing purposes by contacting either in person or in writing or by calling 0345 850 5555 (+44 (0)20 3375 6422 from outside the UK). Calls may be recorded for monitoring and training.

Your right to object does not prevent us from providing information to you when requested or required by an industry regulator, such as under the FCA. This is true even where customers have previously ‘opted out’ of direct marketing. For example, we will make our customers sitting on lower rate products aware of higher rate products that the Bank has that may better serve their financial objectives.


Occasionally, we may send you surveys via email to help us understand your customer experience and improve our products and services. For example, we may send you a survey after you contact us whether that is via telephone, secure message or a web enquiry. These surveys are not marketing as we will not be advertising a product or service to you but obtaining feedback. Our legal basis for this processing is legitimate interest and consent obtained via this privacy policy.

If you wish to stop receiving surveys, you can click on the provided link within the survey invite, or by calling us on the above number.

How long we keep your personal data for

New Applications

If you are applying for a product or service online, you may be able to save your application so that you can return to it as and when you wish. Where this function is available, if you are the primary applicant, we will hold your data for 14 days from the start of the application. If you do not complete your application within 14 days or you cancel it before submitting, all your data will be deleted. If you are an additional/joint applicant and requested to add your information, your data will be held for 14 days from the date we send you an email requesting this. If you do not submit your information within 14 days or you cancel it before submitting, all your data will be deleted.

In all other cases

We may keep your data for up to 10 years

  • after your account closes

  • after your application for a product or service is refused

  • after you have submitted your application but decided not to proceed.

In limited circumstances we may keep your data for a shorter period for example, if you opened an individual savings account and did not fund it.

How long we keep your data is based on a mixture of our legal and regulatory obligations and limitation periods. The reasons for keeping your data are:

  • To respond to queries or complaints or regulatory requests;

  • Defend or take legal action;

  • To maintain records according to any rules that apply to us; and

  • For research and statistical purposes to ensure we continue to make informed lending decisions and understand the performance of our savings products.

We may keep your data for longer than 10 years if we cannot delete it for legal, regulatory or technical reasons.

Retention periods may be changed from time to time based on business or legal and regulatory requirements and we keep these under review annually.

Your data protection rights

With regards to your personal data, you can:

  • ask to have access to it (Data Subject Access Requests) - for more information, please go on our FAQs and use the drop down for GDPR: The General Data Protection Regulation. You can also obtain the Data Subject Access Request form on our website.

  • ask us to correct it (rectification) – for example if we hold incomplete or inaccurate data.

  • ask us to delete it – also known as the ‘right to be forgotten'. Please note however that this right does not take precedence over our obligations as a regulated business to retain your data in certain circumstances.

  • object to us processing it - if you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. If you object to processing for direct marketing purposes, then we shall stop the processing of your personal data for such purposes.

  • Restrict how we use it - if:

    • it is not accurate,

    • it has been used unlawfully but you do not wish for us to delete it,

    • it is not relevant anymore, but you want us to keep it for use in possible legal claims,

    • you have already asked us to stop using your personal data but you are waiting us to confirm if we have legitimate grounds to use your data.

  • ask us to provide your data (data portability) - in a format that is structured and commonly used and transmit such data to other organisations. You also have the right to have your personal data transmitted directly by ourselves to other organisations you will name.

  • tell us you withdraw your consent to us processing your data - at any time. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.

To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact us using the details at the end of this privacy policy. We endeavour to address all of your requests promptly.

Right to lodge a complaint

If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to complain by contacting us. You also have the right to complain to the Information Commissioner's Office. Find out on their website how to submit a complaint at .

Frequently asked questions

To help you understand the basic principles of data privacy law and address some of the common questions that arise with regard to the protection of your personal data, please refer to the Frequently Asked Questions.


Browsers are software used to access any webpage, like Internet Explorer, Firefox or Google Chrome, to help navigate through websites. Cookies are small amounts of text that websites send to your browser to help it navigate through the pages.

Cookies contain information that is transferred to your computer's hard drive/mobile devices. These cookies are used to store information, such as the time that the current visit occurred, whether you have been to the site before and what site referred you to the web page.

Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the website will not then work. These cookies do not store any personal data.

Targeting Cookies

These cookies may be set through our website by our advertising partners. We currently partner with Meta and LinkedIn. To view information for these cookies, please use the links below:



They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not directly store personal data, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Functional Cookies

These cookies enable the website to offer enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Performance Cookies

Our website uses performance cookies to monitor how the website is used. All information is stored in an anonymous form and no personal data is captured by this site automatically.

We use performance cookies on our website and Live Chat to:

  • Store the location of the IP address so that customers accessing the site from outside the UK are routed to the international customer's section of the website;

  • Help us improve the website by understanding what pages are popular;

  • Identify and correct errors;

  • Provide statistics on how our website is used so we can improve the site; and

  • Monitor the effectiveness of our adverts.

IP address, operating system and browser type. This is statistical data, used to analyse user's browsing patterns to help us understand how customers use the site, and does not identify any individual.

Information on how to disable cookies is available

IP address

Your IP address is the individual identification number that is assigned to your computer when connected to the Internet. This is automatically logged by our web-server and Online Banking application. We use the IP address to route users to the international customer's pages if the IP address is located outside the UK. Unless we suspect fraud, your IP address will not be used to identify you personally.

Google Analytics

Google Analytics is a web analytics tool that helps us understand how visitors engage with our website. Google Analytics enables us to view a variety of reports about how visitors interact with our website so we can improve it. Google Analytics uses first-party cookies to collect information about how visitors use our site. We then use the information to compile reports and to help us improve our site.

Google Analytics collects information anonymously. It reports website trends without identifying individual visitors. You can opt out of Google Analytics without affecting how you visit our site – for more information on opting out of being tracked by Google Analytics across all websites you use, visit this Google page. Our 'Performance' cookies will not be used to:

  • Gather information that can be used to advertise products or services to you on other websites;

  • Target adverts to you on any other website.

Equifax will have access to Google Analytics in a ‘read only’ format in order to understand the traffic that passes through our website, allowing us to improve our services and product offerings. This information will continue to remain anonymous and will not identify any individual visitor. Opting out of Google Analytics will prevent access by Equifax.

Using our site indicates that you accept the use of our cookies. If you disable them we cannot guarantee how our site will perform.

Disabling cookies

Most popular browsers give users control over the cookies stored on their machines. You can manually set your browser to accept or reject all or certain cookies or to prompt you every time a cookie is offered. Please note that a cookie will be used to remember your preferences, therefore:

  • If you delete all your cookies you will have to update your preferences with us again.

  • you use a different device, computer profile or browser you will have to tell us your preferences again.

Please note that parts of our website may direct you to a third party's website over which we have no control. For more information about cookies please visit the website set up by the Interactive Advertising Bureau (Europe) at .

Other websites

Our website contains links to other websites. This privacy policy only applies to this website. Other websites will have their own privacy policies and when we transfer you to another website we will make this clear to you.

Changes to our privacy policy

We regularly review our privacy policy and will post any updates on the relevant section of our website.

Contact Details

If you have any questions about this privacy policy or the information we hold about you or want to exercise your rights, then you may phone us on 0345 850 5555, write to us at Cynergy Bank, PO Box 80030 London, EC4P 4NG or send us a secure message through your Online Banking.

You can also contact the DPO via email at .