Data Protection Statement

1. Our Commitment

Percayso Data Exchange Limited (“PDX”) is committed to protecting the privacy and security of personal data. As a neutral data exchange operating in the UK lending market, we recognise that data protection is fundamental to the trust that lenders and Credit Reference Agencies place in our platform.

This statement sets out how PDX approaches data protection, the standards we maintain, and the governance framework that underpins our operations.

2. Regulatory Framework

PDX complies with the following data protection legislation and standards:

  • UK General Data Protection Regulation (UK GDPR) as retained in UK law
  • Data Protection Act 2018
  • Data (Use and Access) Act 2025 where applicable to our processing activities
  • Privacy and Electronic Communications Regulations 2003 (PECR) in relation to electronic communications and cookies

PDX is registered with the Information Commissioner’s Office (ICO). Our registration number is ZA462608.

3. Our Role in Data Processing

PDX as Data Processor: When lenders submit credit data through our platform for validation, standardisation, and distribution to CRAs, PDX acts as a data processor. The lender remains the data controller and determines the purposes and means of processing. PDX processes this data strictly in accordance with documented instructions from the lender under a data processing agreement.

PDX as Data Controller: PDX acts as a data controller for personal data collected through its website, for its business contact database, and for employee and contractor data. In these cases, PDX determines the purposes and means of processing and is directly accountable to data subjects.

4. Data Protection Principles

All processing carried out by PDX adheres to the seven data protection principles:

Lawfulness, fairness, and transparencyAll processing has a documented lawful basis. Privacy notices are clear and accessible.
Lawfulness, fairness, and transparencyAll processing has a documented lawful basis. Privacy notices are clear and accessible.
Purpose limitationCredit data is processed only for the purposes specified in our data processing agreements. Website data is processed only for the purposes stated in our privacy policy.
Data minimisationWe process only the data necessary for the specific purpose. Our platform validates and standardises data but does not collect additional personal data beyond what is submitted by lenders.
AccuracyData validation and quality assurance are core functions of the PDX platform. We work with lenders to ensure submitted data is accurate and up to date.
Storage limitationData is retained only for as long as necessary. Retention periods are defined in our data processing agreements and internal retention schedule.
Integrity and confidentialitySecurity standards aligned with ISO 27001. Secure cloud infrastructure with encryption, access controls, audit logging, and incident response procedures.
AccountabilityDocumented policies, processing records, data protection impact assessments, and regular reviews.

5. Security Standards

PDX maintains security standards aligned with ISO 27001. Our security measures include:

  • Encryption of data in transit and at rest
  • Role-based access controls with the principle of least privilege
  • Secure cloud-based infrastructure with built-in redundancy
  • Comprehensive audit logging and traceability for all data processing activities
  • Regular security assessments and vulnerability testing
  • Incident response procedures with defined escalation paths
  • Staff training on data protection and information security

6. Data Processing Agreements

All lenders and CRAs who use the PDX platform operate under formal data processing agreements that specify:

  • The subject matter and duration of processing
  • The nature and purpose of processing
  • The types of personal data processed
  • The categories of data subjects
  • The obligations and rights of the data controller
  • PDX’s obligations regarding security, confidentiality, sub-processing, international transfers, and data subject rights

7. Sub-Processors

PDX uses a limited number of sub-processors to deliver its services. All sub-processors are subject to equivalent data protection obligations through written contracts. A current list of sub-processors is available on request.

8. International Transfers

PDX primarily processes data within the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place in compliance with UK GDPR, including standard contractual clauses or transfers to countries with adequacy decisions.

9. Data Subject Rights

Where PDX is the data controller, individuals can exercise their data protection rights by contacting privacy@pdx-hub.com. We will respond within one month.

Where PDX is acting as a data processor, requests from data subjects will be referred to the relevant data controller (the lender) in accordance with our data processing agreements. We will assist the data controller in fulfilling these requests as required.

10. Data Breaches

PDX has documented procedures for detecting, reporting, and investigating personal data breaches. In the event of a breach:

  • We will notify affected data controllers without undue delay
  • Where required, we will notify the ICO within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals’ rights and freedoms
  • We will take immediate steps to contain the breach and mitigate any harm
  • We will conduct a root cause analysis and implement corrective measures

11. Governance

Data protection governance at PDX includes:

  • A designated data protection contact responsible for overseeing compliance
  • Documented policies covering data protection, information security, data retention, and breach management
  • Regular review of processing activities and data protection impact assessments for high-risk processing
  • Staff awareness training on data protection obligations

12. Contact

For any questions about data protection at PDX, please contact:

Data Protection Contact
Percayso Data Exchange Limited
Hine House, 25 Regent Street, Nottingham, NG1 5BS
Email: privacy@pdx-hub.com

You also have the right to lodge a complaint with the Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113.

Last updated: June 2026