Back to mintstone.co.uk
Legal & Policy

Privacy Policy

Last updated: 14 June 2026

1. Introduction

Mintstone Ltd ("we", "us", "our") is committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.1 Our role: when we are a controller and when we are a processor

Mintstone acts in two different roles depending on whose data is involved. This distinction matters for who is responsible for the data:

  • As a data controller for: our lender customers' staff and platform users (account and login data), wholesale funder users who connect to oversee loans they capitalise (account and login data), people who contact us through our website, and our own platform operations data (security logs and analytics). This privacy policy is the primary notice for that data, and we determine why and how it is processed.
  • As a data processor for: the personal data a lender connects or uploads in order to monitor its loans, including borrower and developer details, bank transaction data (via Open Banking), uploaded documents, and contractor information. This also covers the read-only loan view a lender chooses to share with a wholesale funder, and the Companies House and collateral checks we run on a lender's behalf to detect double-pledging. For that data the lender is the data controller. The lender decides what is monitored and is responsible for providing the primary privacy notice to those individuals. We process it only on the lender's documented instructions under a Data Processing Agreement. The sections below describe that processing as supplementary transparency information; they do not replace the notice the lender must provide.

Data Controller (for the data where Mintstone is the controller):
Mintstone Ltd
Company No. 17105543
ICO Registration: ZC119192
Registered office: 128 City Road, London, EC1V 2NX, United Kingdom
Email: contact@mintstone.co.uk

2. Personal Data We Collect

2.1 Lender Users (Primary Customers): Mintstone is controller

  • Account Information: Name, email address, phone number, job title, organisation
  • Authentication Data: Password (hashed), session tokens
  • Usage Data: Login timestamps, feature usage, IP addresses, browser information
  • Business Data: Project monitoring data, risk assessments, portfolio information

2.2 Developer/Borrower Users: Mintstone is processor; the lender is controller

  • Account Information: Name, email, phone number, company details
  • Project Data: Property addresses, project budgets, timeline information
  • Banking Data: Bank account connections via TrueLayer (Open Banking) for transaction monitoring
  • Documents: Invoices, valuations, JCT contracts, photos uploaded via Telegram/web

2.3 Contractor Users: Mintstone is processor; the lender is controller

  • Contact Details: Name, phone number, email (optional)
  • Work Records: Photos uploaded via Telegram, activity logs
  • Monitoring Records: Telegram group membership, message processing logs

2.4 Funder Users (Wholesale / Institutional): Mintstone is controller

  • Account Information: Name, email address, phone number, job title, organisation
  • Authentication Data: Password (hashed), session tokens
  • Connection Data: Which loans a lender has attached to the funder, and the acceptance, decline, or revocation status of each attachment

2.5 Funder loan sharing, Companies House checks, and collateral fraud detection: Mintstone is processor; the lender is controller

Two newer parts of the platform process borrower and project data on a lender's behalf:

  • Funder loan sharing: A lender may attach a wholesale funder (a bank or institution providing it capital) to a specific project. Where the funder accepts, we give that funder a read-only, aggregated view of that single loan. Personal data is minimised: the developer's email address and raw bank transactions are never shared with the funder, and audit lineage is shown by acting role only, not by name. The funder only ever sees the specific loans a lender has deliberately placed with that funder, and access ends immediately if the lender detaches the funder.
  • Companies House and collateral checks: To detect collateral fraud and double-pledging, we check the public Companies House register for charges registered against the borrower company and connected entities (at approval and on a periodic re-check), and we cross-reference the asset and borrower against other loans monitored on the platform. Cross-platform matches are existence-only flags: they tell a lender that the same collateral appears elsewhere, without revealing the other lender's identity or details. These checks are presented to the lender for human review and never block a decision automatically. Mintstone does not decide whether fraud has occurred: we surface factual register data and existence-only flags, and the lender or funder makes any judgement.

The legitimate-interests assessment for the collateral checks, and a data protection impact assessment for the cross-lender matching, are being finalised and will be linked here.

3. Lawful Basis for Processing

The lawful bases below apply to the personal data for which Mintstone is the controller (see section 1.1). For the borrower, banking, document, and contractor data we process on a lender's behalf, the lender (as controller) determines the lawful basis; we process that data only on the lender's documented instructions.

We process the personal data we control under the following lawful bases:

  • Contractual Necessity: To provide our SaaS platform services to lender customers
  • Legitimate Interest: To improve our platform, prevent fraud, and provide customer support
  • Legitimate Interest: For monitoring contractor communications in project Telegram groups for construction progress tracking and variation detection (Art. 6(1)(f). See our Legitimate Interests Assessment)
  • Legitimate Interest: For detecting collateral fraud and double-pledging by checking the public Companies House register and cross-referencing collateral across monitored loans (Art. 6(1)(f). Legitimate Interests Assessment in progress)
  • Legitimate Interest: For sharing a minimised, read-only loan view with a wholesale funder a lender has attached to a project, so the funder can oversee the risk on loans it capitalises (Art. 6(1)(f))
  • Legal Obligation: To comply with financial services regulations and audit requirements

4. How We Use Your Data

  • Provide project monitoring and risk management services to lenders
  • Enable real-time communication between lenders, developers, and contractors
  • Process and classify financial transactions via Open Banking integration
  • Detect collateral fraud and double-pledging via Companies House charge checks and cross-loan collateral matching
  • Share a minimised, read-only loan view with a wholesale funder a lender has attached to a project, once the funder accepts
  • Analyse invoices, valuations, and contracts using AI/OCR (see section 6 for how we safeguard data sent to AI sub-processors)
  • Send notifications about project updates, alerts, and platform features
  • Improve platform performance and develop new features

5. Third-Party Services & Data Processors

We use the following sub-processors, all with UK GDPR-compliant Data Processing Agreements:

  • AWS (eu-west-2, London): File storage (S3), database hosting
  • Vercel: Application hosting and analytics (EU region)
  • OpenAI (GPT-4o): Document analysis, text extraction, and OCR (zero-retention API, DPA in place)
  • Anthropic (Claude): Invoice OCR and document analysis (zero-retention API, DPA in place)
  • TrueLayer: Open Banking integration (FCA-authorised, UK-based)
  • Telegram: Construction project group monitoring (Mintstone bot reads messages in project supergroups as a group administrator)

We also query the public Companies House register as a source of company and registered-charge information for collateral checks. Companies House is a public register, not a sub-processor.

6. International Data Transfers

Personal data is primarily processed and stored within the UK and EU. A limited number of sub-processors operate outside the UK/EEA (see section 5). Where a transfer outside the UK/EEA occurs, we rely on one or more of the following safeguards under UK GDPR Chapter V:

  • The UK Extension to the EU-US Data Privacy Framework, where the receiving organisation is certified to it
  • The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, where applicable
  • Zero-retention API agreements with our AI sub-processors (OpenAI, Anthropic), so that document and transaction data sent for analysis is not stored or used for model training in the destination country
  • Appropriate technical and organisational measures protecting data in transit and at rest

7. Data Retention

  • Active Projects: Data retained for duration of lender contract + 7 years (financial records retention requirement)
  • Inactive Accounts: Anonymised after 12 months of inactivity (unless legal hold applies)
  • Contractor Communication Data: 3 years from message date; erasure requests assessed subject to regulatory retention obligations
  • Audit Logs: Retained for 7 years for regulatory compliance
  • Funder Access & Collateral Checks: Funder attachment records and collateral / charge-check results retained for the life of the facility + 7 years as part of the audit trail; funder access ends immediately on lender detachment

8. Your Rights Under UK GDPR

You have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion (subject to legal retention requirements)
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Object: For Telegram monitoring, you may exercise your right to object under Art. 21 UK GDPR. We will assess your objection against our legitimate interest and arrange alternative reporting if appropriate.
To exercise your rights, contact:
Email: contact@mintstone.co.uk
Or write to: Mintstone Ltd, 128 City Road, London, EC1V 2NX

9. Security Measures

We implement industry-standard security controls:

  • End-to-end encryption for data in transit (TLS 1.3)
  • Encryption at rest for all stored data (AES-256)
  • Multi-factor authentication (MFA) for lender accounts
  • Role-based access control (RBAC) and audit logging
  • Ongoing dependency vulnerability scanning and internal security reviews; independent third-party penetration testing is planned before onboarding enterprise lender customers
  • API keys and credentials stored in secure vaults (never in code)

10. Cookies & Analytics

We use minimal cookies:

  • Essential Cookies: Session authentication (required for platform function)
  • Analytics Cookies: Vercel Analytics (anonymised page views, no personal identifiers)

No third-party advertising or tracking cookies are used. You can disable analytics in browser settings.

11. Contractor-Specific Rights

If you are a contractor working on a project monitored via Telegram:

  • Your messages in the project Telegram group are read by the Mintstone bot (a group administrator) for construction progress tracking and variation detection under Art. 6(1)(f) UK GDPR (legitimate interests)
  • A monitoring notice is pinned in every forum topic explaining this processing
  • You have the right to object to this processing under Art. 21 UK GDPR by contacting contact@mintstone.co.uk or the project developer
  • If you object, we will assess your request against our legitimate interest and arrange alternative progress reporting methods where appropriate
  • You can request access to or erasure of your message data at any time, subject to regulatory retention obligations
  • Objecting to monitoring does not affect your ability to work on the project. Progress reporting can continue via alternative methods

12. Children's Privacy

Our platform is not intended for individuals under 18. We do not knowingly collect data from minors.

13. Changes to This Policy

We may update this policy to reflect legal or operational changes. Material changes will be notified via email (for registered users) and prominently displayed on our website.

14. Complaints

If you believe we have mishandled your data, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)
Website: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113

15. Contact Us

Privacy, data protection, and general enquiries:
Email: contact@mintstone.co.uk
Post: Mintstone Ltd, 128 City Road, London, EC1V 2NX

© 2026 Mintstone Ltd · Company No. 17105543 · Registered in England and Wales