Privacy Policy

The Credit Protection Association Limited
Effective date: 11th June 2026
Last reviewed: 11th June 2026

The Credit Protection Association Limited, trading as The Credit Protection Association (“CPA”, “we”, “us” or “our”), respects your privacy and is committed to protecting your personal information.

This Privacy Policy explains how we collect, use, store, share and protect personal information when you use our website, contact us, become a member, use our services, are involved in a debt recovery or credit management matter, or otherwise interact with us.

We process personal information in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations, and other applicable UK data protection and privacy laws.

This policy applies to personal information relating to:

  • CPA Members (and prospective Members

  • Debtors, customers, directors, business owners and other individuals involved in debt recovery, credit control or credit management activity

  • Website users

  • People who contact us by email, telephone, post, online form or social media

  • Applicants for employment, agent roles, consultancy roles, contractor positions, internships, work experience placements or other opportunities with CPA

  • Suppliers, professional advisers and business contacts

  • Users of CPA services, reports, monitoring tools, newsletters, downloads or events

1. Who we are

The Credit Protection Association Limited is a UK business providing credit protection, credit management, debt recovery, monitoring, membership and related services.

This Privacy Policy also applies, where relevant, to personal information processed in connection with our associated companies and trading operations, including:

– CPA (LPC) Recoveries Limited

– Creditpro Limited

For data protection purposes, CPA may act as a data controller for much of the personal information it processes. In some circumstances, depending on the nature of the service provided to a member or client, CPA may act as a processor or process information under the instruction of another controller. Where this applies, our contractual terms with the relevant member or client will set out the responsibilities of each party.

Our contact details are:

The Credit Protection Association Limited

Registered office :C/O Sobell Rhodes LLP The Kinetic Centre, Theobald Street, Elstree, Hertfordshire, United Kingdom, WD6 4PJ

Trading Address: Profile West, 950 Great West Road, Brentford, TW8 9ES

Email: info@cpa.co.uk
Data Privacy Manager: dpm@cpa.co.uk
Telephone: (+44) 020 8846 0000

2. The personal information we collect

The personal information we collect depends on your relationship with us and the services being provided.

We may collect and use the following types of personal information:

Contact and identity details

This may include your name, job title, business name, trading name, postal address, email address, telephone number, mobile number, company registration details, director details and other business contact details.

Where you apply for a role with CPA, whether as an employee, agent, consultant or contractor, we may collect recruitment-related information such as your CV, application details, employment history, qualifications, references, interview notes, right-to-work information and information needed to assess your suitability for the role.

Membership and account information

This may include details about your CPA membership, enquiries, service history, subscription or account information, payment records, correspondence, preferences, support requests and notes relating to services we provide.

Debt recovery and credit management information

Where we are involved in debt recovery, credit control, credit reporting, monitoring or related services, we may process information such as:

  • Names and contact details of individuals connected with an account

  • Business names, trading names and company details

  • Director, partner, sole trader or guarantor details where relevant

  • Account references, invoice information and payment history

  • Correspondence, call notes, case notes and records of contact

  • Information provided by CPA members, clients, debtors, courts, legal advisers, credit reference providers, public registers or other relevant third parties

  • Information needed to assess, manage, recover or monitor overdue accounts

Website, technical and usage information

When you visit our website, we may collect information such as your IP address, browser type, device information, pages visited, referral information, approximate location, cookie identifiers and analytics information.

Marketing and communications information

This may include your marketing preferences, newsletter subscriptions, event registrations, downloads, form submissions, responses to campaigns and records of whether you have opted in or opted out of communications.

Special category or sensitive information

We do not usually need to collect special category information. However, in limited circumstances, information provided to us may reveal sensitive details, for example in correspondence relating to a dispute, vulnerability, health, personal circumstances or legal matter. Where this happens, we will only process such information where lawful and necessary.

3. How we collect personal information

We may collect personal information:

  • Directly from you when you contact us, complete a form, join CPA, request information, use our services, make a complaint or exercise your rights

  • From CPA members or clients who instruct us or use our services

  • From debtors, customers, directors, guarantors, business owners or representatives involved in a matter

  • From correspondence, telephone calls, emails, documents and online forms

  • From public registers, such as Companies House, court records, insolvency notices or other publicly available sources

  • From credit reference agencies, tracing providers, legal advisers, professional advisers, regulators or other relevant third parties

  • Through our website, cookies, analytics tools and similar technologies

4. Why we use personal information

We may use personal information for the following purposes:

  • To provide CPA membership services

  • To respond to enquiries and service requests

  • To provide credit protection, credit management, debt recovery, monitoring and related services

  • To manage overdue accounts and support recovery action

  • To verify information and maintain accurate records

  • To provide reports, alerts, updates and member services

  • To administer contracts, subscriptions, billing and payments

  • To communicate with members, clients, debtors, business contacts and other relevant parties

  • To comply with legal, regulatory, accounting and tax obligations

  • To handle complaints, disputes, data protection requests and legal claims

  • To protect our business, members, clients and others from fraud, misuse, non-payment or unlawful activity

  • To improve our website, services, systems and communications

  • To send marketing communications where permitted by law

  • To maintain suppression lists so we do not contact people who have opted out

  • To keep records for audit, compliance and business administration purposes

  • To assess applications for employment, agent, consultancy, contractor or other roles with CPA, including suitability, interview arrangements, references, right-to-work checks and recruitment administration.

5. Our lawful bases for processing

We only use personal information where we have a lawful basis to do so.

Depending on the circumstances, we may rely on one or more of the following lawful bases:

Contract

We may process personal information where it is necessary to enter into or perform a contract with you or with the business you represent. This may include membership administration, service delivery, account management and billing.

Legitimate interests

We may process personal information where it is necessary for our legitimate interests, or the legitimate interests of our members, clients or other third parties, provided those interests are not overridden by your rights and freedoms.

Our legitimate interests may include:

  • Providing credit management, debt recovery and credit protection services

  • Helping businesses manage credit risk and recover overdue accounts

  • Maintaining accurate business and account records

  • Preventing fraud, misuse, non-payment and unlawful activity

  • Communicating with business contacts, debtors, members and clients

  • Managing disputes, complaints and legal claims

  • Improving our services, website and business operations

  • Sending relevant business-to-business communications where permitted by law

Where we rely on legitimate interests, we consider the potential impact on individuals and apply safeguards where appropriate.

Legal obligation

We may process personal information where necessary to comply with legal obligations, including tax, accounting, regulatory, court, insolvency, law enforcement or data protection obligations.

Consent

We may rely on consent for certain activities, such as optional marketing subscriptions, some cookies or where consent is otherwise required by law. Where we rely on consent, you can withdraw it at any time.

Vital interests

In rare circumstances, we may or may not process information where necessary to protect someone’s vital interests.

Public task

This will rarely apply to CPA, but may be relevant in limited circumstances where processing is necessary for a task carried out in the public interest or under official authority.

6. Debt recovery, credit control and credit management activity

CPA provides services that may involve processing information about overdue accounts, business debts, trading relationships, payment history, credit risk and related correspondence.

Where we process personal information in connection with debt recovery, credit control or credit management, we do so only where we have a lawful basis and where the processing is necessary for the relevant purpose.

This may include contacting individuals or businesses about outstanding accounts, checking information, recording correspondence, assessing payment history, supporting legal escalation, reporting outcomes to members or clients, and maintaining records of action taken.

We aim to ensure that all records are accurate, relevant, professional and limited to what is necessary.

7. Automated decision-making and profiling

We may use systems, tools or data sources to help support credit management, monitoring, account review, risk assessment, alerts, case prioritisation, fraud prevention or service administration.

We do not intend to make decisions based solely on automated processing that produce legal or similarly significant effects on individuals unless this is lawful and appropriate safeguards are in place.

Where any automated processing is used to make or support a significant decision about an individual, we will provide information required by law and, where applicable, safeguards such as the right to obtain human review, express your point of view and challenge the decision.

8. Who we share personal information with

We will only share personal information where we have a lawful basis to do so and where it is necessary for the purposes described in this policy.

We may share personal information with:

  • CPA members or clients where necessary to provide services

  • Debtors, customers, representatives or other parties involved in a matter

  • Solicitors, courts, enforcement agents, insolvency practitioners, professional advisers or other parties involved in legal or recovery action

  • Credit reference agencies, tracing providers, verification providers or similar service providers

  • IT, hosting, software, email, CRM, payment, analytics and administrative service providers

  • Accountants, auditors, insurers, banks and professional advisers

  • Regulators, law enforcement bodies, government authorities or the Information Commissioner’s Office where required or appropriate

  • Purchasers, investors, advisers or other parties involved in a business sale, restructuring or transfer

  • Associated companies and trading operations, including CPA (LPC) Recoveries Limited and Creditpro Limited, where necessary for administration, service delivery, debt recovery, credit management, compliance, reporting, business operations or legal purposes.

Where we use service providers who process personal information on our behalf, we require them to protect the information and only use it in accordance with our instructions and applicable law.

9. International transfers

We generally aim to store and process personal information within the UK or countries that provide adequate protection for personal information.

Where personal information is transferred outside the UK, we will ensure that appropriate safeguards are in place, such as adequacy regulations, approved contractual clauses or other lawful transfer mechanisms.

10. How long we keep personal information

We keep personal information only for as long as necessary for the purposes for which it was collected, including to provide services, comply with legal obligations, resolve disputes, maintain records, enforce agreements and protect our legal rights.

Retention periods may vary depending on the type of information and the reason it is held.

As a guide:

  • Membership and account records may be kept for the duration of the relationship and for a reasonable period afterwards

  • Accounting, tax and payment records are usually kept for at least six years, or longer where required

  • Debt recovery, credit control and case records may be kept for a period necessary to manage the matter, support legal rights, evidence action taken and comply with limitation periods

  • Marketing records are kept until you unsubscribe or object, although we may keep a suppression record to ensure we do not contact you again

  • Complaint, subject access and rights request records may be kept to evidence how the matter was handled

  • Website analytics data is kept in accordance with the settings of the relevant analytics tools and our cookie policy

  • Recruitment records for unsuccessful applicants are usually kept for a limited period after the recruitment process unless we need to keep them longer for legal, regulatory or dispute-related reasons, or where you have agreed that we may keep your details for future opportunities.

We will review retention periods periodically and securely delete, anonymise or archive information where it is no longer required.

11. Cookies and similar technologies

Our website may use cookies, analytics tools, pixels and similar technologies to help the site function, understand how visitors use it, improve our services and support marketing activity.

Some cookies are necessary for the website to work. Other cookies, such as analytics or advertising cookies, may require your consent.

Where required, we will ask for your consent before placing non-essential cookies on your device. You can manage your cookie preferences through our cookie banner or browser settings.

Our website may use services such as Google Analytics, Meta/Facebook Pixel or similar tools. These tools may collect information about your device, browser, interactions with our website and online identifiers.

For more details, please see our Cookie Policy: https://cpa.co.uk/cookies/

12. Marketing communications

We may send marketing communications to individuals who have requested information, subscribed to updates, downloaded resources, attended events, used our services, or where we otherwise have a lawful basis to contact them.

For business-to-business marketing, we may contact business contacts where permitted by law and where the communication is relevant to their role or business interests.

You can opt out of marketing communications at any time by using the unsubscribe link in our emails or contacting us directly.

We will not sell your personal information to third parties for their own marketing purposes.

13. Security

We take appropriate technical and organisational measures to protect personal information against unauthorised access, loss, misuse, alteration or disclosure.

These measures may include access controls, staff training, secure systems, password protection, data minimisation, supplier checks, backups and procedures for dealing with data breaches.

No system can be guaranteed to be completely secure, but we take data protection seriously and review our safeguards periodically.

14. Your data protection rights

Depending on the circumstances, you may have the following rights under data protection law:

  • The right to be informed about how your personal information is used

  • The right of access to your personal information

  • The right to have inaccurate information corrected

  • The right to have information erased in certain circumstances

  • The right to restrict processing in certain circumstances

  • The right to object to processing in certain circumstances

  • The right to data portability in certain circumstances

  • Rights relating to automated decision-making where applicable

  • The right to withdraw consent where processing is based on consent

  • The right to complain about how we use your personal information

These rights are not absolute and may depend on the reason we hold the information and the legal basis for processing it.

15. Subject access requests

You have the right to ask for a copy of personal information we hold about you.

You do not have to use any special wording or form to make a subject access request, although providing clear details may help us locate the information more efficiently.

We may ask you for information reasonably needed to confirm your identity or clarify the information you are asking for. Where appropriate, the time for responding may not begin, or may be paused, until we have the information reasonably needed to deal with the request.

We will carry out reasonable and proportionate searches for your personal information and respond within the timescales required by law.

In some circumstances, we may be unable to provide certain information, for example where it includes another person’s personal information, is legally privileged, relates to crime prevention, or where another exemption applies.

To make a subject access request, please contact:

Data Privacy Manager

Email: dpm@cpa.co.uk
Post: Profile West, 950 Great West Road, Brentford, TW8 9ES

You do not have to use a specific form or template, but we provide an optional Subject Access Request form to help you give us the information we need to identify you and locate your personal information more efficiently.

Download Subject Access Request template

We may ask you for information reasonably needed to confirm your identity or clarify the information you are asking for. We will carry out reasonable and proportionate searches and respond within the timescales required by law.

16. Other rights requests

If you wish to exercise any of your other data protection rights, please contact us using the details above.

Please provide enough information for us to identify you, understand your request and locate the relevant information.

We will respond in accordance with the timescales required by law.

17. How to complain about our use of your personal information

If you are unhappy with how we have used your personal information, you can make a data protection complaint to us.

Please contact:

Data Privacy Manager

Email: dpm@cpa.co.uk

Post: Profile West, 950 Great West Road, Brentford, TW8 9ES

Telephone: (+44) 020 8846 0000

Please include your name, contact details, the nature of your complaint, any relevant reference number and any information that may help us investigate.

We will acknowledge your complaint, investigate it and respond within a reasonable period. If we need more information from you, we will let you know.

If you remain unhappy with our response, or you do not believe we have handled your complaint properly, you have the right to complain to the Information Commissioner’s Office.

The ICO can be contacted at:

Information Commissioner’s Office

Website: www.ico.org.uk
Telephone: 0303 123 1113

We would appreciate the opportunity to deal with your concerns first, but you may contact the ICO at any time.

18. Data breaches

If we become aware of a personal data breach, we will assess the nature and impact of the breach and take appropriate action.

Where required by law, we will notify the Information Commissioner’s Office and affected individuals.

19. Links to other websites

Our website may contain links to other websites. This Privacy Policy applies only to CPA and our website. We are not responsible for the privacy practices of other websites.

You should read the privacy policy of any third-party website you visit.

20. Social media

If you interact with us on social media, the platform provider may also process your personal information. Please refer to the privacy information provided by the relevant platform.

We may use information you provide through social media to respond to your enquiry, manage our relationship with you or handle a service request.

21. Children

Our services are intended for businesses and adults. We do not knowingly collect personal information from children through our website or services.

22. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulation, guidance, our services or the way we process personal information.

The latest version will be published on our website. Where changes are significant, we may take additional steps to bring them to your attention.

23. Contact us

If you have any questions about this Privacy Policy or how we use personal information, please contact:

Data Privacy Manager

Email: dpm@cpa.co.uk

Post: Profile West, 950 Great West Road, Brentford, TW8 9ES

Telephone: (+44) 020 8846 0000