We need to verify the information that you provide us with as a company representative, including your company’s name, business address, and registered number. This data is provided by you (“Buyer”) to the Marketplace through its online checkout platform and enabled by Two’s Services. The legal basis for this processing is our legitimate interests in ensuring that we will be invoicing the correct company at the right invoicing address (UK GDPR Article 6(1)(f)). For this purpose, we process limited personal data (the fact of the company you represent and your contact telephone number).
We only share the name of the company and registered number with our financing partner and not any personal data about you, the representative. The purpose of this is to inquire whether our financing partners are interested in purchasing the invoice. Where this involves any personal data (for example if the company is a sole trader or unlimited liability partnership), this processing is based on our legitimate interests in providing the Services to companies and the banks (UK GDPR Article 6(1)(f)).
If none of the financing partners are interested in purchasing the order invoice, the Supplier will not present Two as an active payment option.
If one or several financing partners are interested in purchasing invoices regarding orders placed by you, we shall present Two as a payment option.
Under specific circumstances, we may require to verify both the company placing the order as well as your identity, as somebody claiming to represent the company. To do this we will then process personal data about you including your name, your company email address, IP address, the company delivery address, and which company you claim to represent. The provision of this information is required so that we can offer Two as a payment solution. We will also conduct background checks to verify that you are with the company you claim to place an order on behalf of. We use methods provided by Credit Safe, Yapily and Sift for these ID verification purposes. Some of these checks include open banking solutions which require you to log into your private bank account and confirm your identity – the bank will confirm to us that you are who you say you are.
Additionally, we may also ask you to provide a director’s email address to provide an additional level of authorisation.
The legal basis for this processing is our legitimate interests in verifying the company and ensuring that you are authorised to represent the company (UK GDPR Article 6(1)(f)) you claim you represent.
If a financing partner confirms its interest in buying a payment claim, Two facilitates the sale of the invoice from the Supplier via the Marketplace to the financing partner. For these purposes, we collect and share with the financing partner information about your name, contact details, the company delivery address, the name of the company, the company organisation number, and the items and products purchased.
Two also facilitates the distribution of the invoice to the buyer company. For this purpose, we will share this same information with your company, and both you and the company will receive a PDF of the invoice.
The legal basis for this processing is our legitimate interests in facilitating the delivery of Two to the buyer company and the financing partner (UK GDPR Article 6 (1)(f)).
Two provides the opportunity to prospective company representative buyers to onboard themselves (as an individual) and their company via Two’s Buyer Centre. This onboarding requires the collection and other processing of information on the company name, company organisation number, registered company address, and (for the representative) your name, work email address, relationship to the company, work department, mobile phone number and individual authentication (via Credit Safe, Yapily and Sift as explained above in section 1.2).
Companies can onboard a number of users to the Buyer Centre. Company representatives who are Admin Users can edit Buyer Profile Types as well as spending limits for all users onboarded on behalf of a company. Users can view a dashboard of and can download locally purchase history of their own transactions conducted via Two. Admin Users can view all the company’s transactions conducted via Two. This will include information about which Supplier sold the goods or services, which user made the purchase, order data, order amount, which products or services were purchased, order delivery (yes/no) and payment status (paid/to be paid/in arrears).
Using the Buyer Centre is voluntary. The legal basis for the processing is our legitimate interests in facilitating the delivery of Two to the buyer company and allowing the company to manage their purchases (UK GDPR Article 6 (1)(f)).
Two also provides the opportunity for prospective Supplier representatives, where applicable, to onboard themselves (as an individual) and their company via Two’s Merchant Centre. For this purpose, we will process information about the company name, company organisation number, registered company address, annual B2B sales, annual turnover, tax residency, countries of operation, bank account number, selection of product and service types it wants to offer and the website URL. For the representative, we will also process personal data about your name, work email address, individual authentication (Yapily and Sift as described in section 1.2 above), your relationship to the company, mobile phone number, date of birth, and answers to a series of ‘KYC Questions’.
Merchant Centre users can view a dashboard and can download locally, sales history of the Supplier’s transactions conducted via Two. This includes information about the buyer company’s name (who bought goods/ services), the name of the buyer’s representative who completed the transaction, the transaction date, transaction items sold, order amount, order delivery (Yes/ No) and payment status (paid/to be paid).
Merchant Centre users can set up rules to qualify the (i) level of Strong Customer Authentication (i.e. whether they want all transactions to be subject to open banking verification, rather than just those above a certain level), and (ii) establish ‘recourse’ on transactions – i.e. allow the Suppliers or the Marketplace itself to take on transactions that fail the financing partner’s credit check. This will include information about transactions to which no Strong Customer Authentication is required, max order amount, and max buyer credit riskiness (e.g. Probability of Default) required in order for the Supplier or Marketplace to provide recourse for a prospective invoice financing facility.
Processing as described in this section is based on our legitimate interests in enabling the Marketplace and their representatives to use Two (UK GDPR Article 6 (1)(f)).
Two uses computer algorithms based on registered fraud events to identify patterns and predict future fraud behaviour for both existing and new Suppliers, buyer companies, and individuals representing or claiming to represent prospective buyers and/or buyer companies. For this purpose, we process information about fraud events, type of fraud events, date of fraud events, company name, company organisation number, name of involved individual(s), IP address, delivery address, email address, phone number, “device fingerprint” (if available), order value at risk, recovery of order value after event, number of days until recovery.
Two also builds statistical models based on registered credit events to identify patterns and predict future credit risky behaviour for both existing and new Suppliers, buyer companies, and individuals representing or claiming to represent prospective buyers or buyer companies. For this purpose, we process information about credit events, type of credit events, date of credit events, company name, company organisation number, name of involved individuals, transacting order, order value at risk, products and number of items per product in transaction, recovery of order value after event and number of days until recovery.
We therefore sometimes make ‘automated’ decisions when we approve or decline a company’s application to use a credit service, on the basis of fraud or poor credit indicators. This includes some limited personal data. If your company is not approved under the processes described above, you can contact us and we will determine whether the procedure was performed appropriately.
The legal basis for these processing purposes is our legitimate interests in preventing, identifying and handling fraud events and in preventing, identifying and handling credit events involving risky behaviour.
We will contact companies and their representatives for sales and marketing purposes. This includes direct marketing to potential and existing Suppliers or prospective buyers, conducting customer surveys and finding potential prospective buyers via social media. We may, on occasion, use social media channels such as LinkedIn to reach out to those who we note are recurring users, or who we think may otherwise benefit from use of our platform.
We will process information about the company name, phone number, email and URL, and the name and contact information of the relevant company representatives.
Direct marketing to potential prospective buyers at their business contact address, as well as our other sales and marketing purposes, is based on our legitimate interests in promoting and increasing the sale of our products and services (UK GDPR Article 6(1)(f)).
We will process personal data about you if you contact our customer services team. The information processed will depend on the information you disclose to us and what other information it is necessary to process in order to respond to your enquiry. The processing is based on our legitimate interests in receiving feedback in order to further develop and improve the Services (UK GDPR Article 6(1)(f)).
We also collect and process personal data to improve our Services, develop new Services and support our efforts to make our Services more relevant and more useful to you (UK GDPR Article 6(1)(f)).
We will process personal data in order to comply with certain legal obligations, such as accounting obligations. In such cases, we will only process personal data insofar as necessary in order to fulfil the relevant legal obligations (UK GDPR Article 6(1)(c)).
In some cases, it is necessary for us to process personal data for the establishment, exercise and/or defence of legal claims. We will only process personal data insofar as necessary for our legitimate interests relating to such claims (UK GDPR Article 6(1)(f)).
We share personal data with the Marketplace, Suppliers, buyer companies, and financing partners, in addition to verification providers (such as Yapily and Sift), as further described above. We also use Google Cloud for hosting purposes, and the hosting servers are located within the EU/EEA.
We will share personal data when necessary in order to facilitate commercial transactions, such as mergers and acquisitions. We also share data with governmental and supervisory authorities, regulators and others when required or permitted to do so by law or where necessary to protect and defend our rights or property, act in urgent circumstances to protect the safety of our users or the public, protect against legal liability, to investigate fraud or any other unlawful activity. We will not transfer personal data to recipients in countries outside the UK or EU/EEA that do not offer adequate data protection, unless appropriate safeguards are in place, such as using approved standard contractual clauses.
We store personal data for as long as necessary to fulfil the purposes described above or longer if needed to comply with our legal obligations, or to establish, exercise or defend legal claims. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable opportunity. Generally, this will be for the duration of our agreement with you or our client, and for 6 years thereafter. We may rectify, update or remove incomplete or inaccurate information, at any time and at our own discretion. For more information on our retention periods you can contact us using the details below.
We handle your personal data securely and have established procedures that meet data protection requirements. The security measures are of technical, contractual and organisational nature. For example, we conduct regular assessments of the security in all central systems that are used for the handling of personal data. We have also entered into agreements with our subcontractors that require them to ensure appropriate information security regarding the services they provide to us. We limit the access to personal data to personnel who have a need for access in order to carry out their tasks. We have implemented access control so that personal data is only available for personnel with a justifiable need.
You can have certain rights in personal data concerning you. What rights you have depends on the circumstances and applicable law. Some rights that may be relevant for you are:
Right to access: A right to access personal data concerning you that we process.
Right to request rectification or deletion: You can request rectification of incorrect or outdated personal data about you. You can also request that we delete personal data about you.
Right to object: You can object to the processing of personal data concerning you for direct marketing purposes. Depending on the circumstances, you may also have a right to object to processing for other purposes. To stop receiving our marketing communications, you can use the unsubscribe mechanism in the relevant communication or you can send us an email to firstname.lastname@example.org with the information necessary to process your request. Please note that this will not stop you from receiving service-related messages relating to your use of your Two account.
Right to data portability: In certain cases, you can have your personal data transmitted from us to another controller.
Right to withdraw consent: If you have consented to our processing of your personal data, you may withdraw this consent at any time. Withdrawing your consent will not affect the lawfulness of processing based on your consent prior to the withdrawal.
Right to lodge a complaint with a supervisory authority: If you disagree with the way we processes personal data about you, you can lodge a complaint with the relevant supervisory authority (in the UK this is the Information Commissioner’s Office). We hope that you choose to contact us first.
These rights may be limited for example if fulfilling your request would reveal personal data about another person or if you ask us to delete information which we are required to keep by law or have compelling legitimate interests to keep. Relevant exemptions are set out in the UK Data Protection Act 2018. We will information you of the relevant exemptions we rely on when responding to any request you make.
163 City Road