Privacy Policy
Welcome! This Privacy Policy (this “Policy”) explains how we at Jonas Collections and Recovery Inc., operating as C&R Software, collect, use, disclose and otherwise process personal data. We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Policy describes the personal data we may collect from you, the purposes for which we collect it, how we use it and how we keep it secure. This Policy also describes the choices you can make about your personal data, including how you can manage, delete or have access to your personal data. C&R Software will not collect, use or disclose your personal data other than in compliance with this Policy.
Click on any of the links below to read detailed information for that topic.
This Policy was last updated on the 19th day of November 2025. Please read this Policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
Jonas Collections and Recovery Inc. trading as C&R Software, a Delaware corporation, is the controller for your personal data. When we use the term “we”, “us” or “our” we are referring to C&R Software.
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR). We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to products and services we offer to individuals and our wider operations in the European Economic Area (EEA).
We act as a processor when we provide our Debt Manager, PlacementsPlus and Agency Network platforms (our Platforms). If you are using our Platforms, this Policy will apply to the personal data we collect and use. We do not have access to any personal data input into our Platforms and we are not the controller for that personal data. For information about how our Clients use your personal data in our Platforms, you should contact them directly.
We are also signed up to the EU-US Data Privacy Framework and the UK extension to the EU-US Data Privacy Framework. Details of the dispute resolution and binding arbitration are set out at the end of this Policy in the section “EU-US Data Privacy Framework – dispute resolution and binding arbitration” below.
This Policy applies to the use of personal data on our website, when you use our products and services, when you use our Platforms, when you make an enquiry through our website form, white paper downloads, newsletter subscriptions and access any other resources on our website.
This Policy is not intended to take precedence over other notices on our website or provided to you throughout our interactions.
In this Policy we use certain words which have the following meanings:
- Clients: an organisation who uses any of our products and services.
- Data Protection Officer: This refers to our Data Protection Officer who can be contacted by emailing privacy@crsoftware.com.
- Debt Manager: This is C&R Software's proprietary Debt Manager Software product - a cloud hosted software platform that supports the entire debt lifecycle, from pre-collection through debt recovery, operationalizing analytics throughout.
- Network Agency: This is C&R Software's proprietary Agency Network Software product - a cloud hosted software platform that provides creditors with a single, secure channel to exchange data with collection agencies, credit bureaus, debt buyers, attorneys and other third parties.
- Personal data: This refers to any information relating to an identified or identifiable individual.
- PlacementsPlus: This is C&R Software's proprietary PlacementsPlus Software product - a software platform that automates the placement of accounts by creditors to collection agencies.
- Special Category Data: This refers to personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, sex life or sexual orientation.
- Website: This refers to our website www.crsoftware.com.
The personal data we collect about you depends on the particular services we provide to you. We will collect and use the following personal data about you when you use our Platforms and use our website as set out below:
| Personal data | Website | Customer Portal | Debt Manager | Placements Plus | Agency Network |
|---|---|---|---|---|---|
| Your name, job title and contact information, including email address, telephone number and company details | No | Yes | Yes | Yes | Yes |
| Your billing information, transaction, bank and payment card information relating to your purchase of products and services from us | No | No | No | No | No |
| Information to check and verify your identity, e.g. your date of birth | No | No | No | No | No |
| Information to enable us to undertake credit or other financial checks on you | No | No | No | No | No |
| Information about how you use our website | Yes | Yes | No | No | No |
| Information about your IP address, internet browser and version, your location and platform | Yes | No | Yes | Yes | Yes |
| Your marketing and communications preferences | Yes | No | No | No | No |
We collect and use this personal data for the purposes described in the section “How and why we use your personal data” below.
We also use, collect and share aggregated data. This data may be derived from your personal data but is not considered personal data, as it does not reveal your identity directly or indirectly. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide the personal data when requested, we may not be able to perform the contract we have or are trying to enter into with you, for example, to provide you with our goods or services. In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
We collect most of the personal data we use directly from you by telephone, email and/or via our website, for example when you complete a form on our website.
We also collect personal data directly from you when you:
- Request marketing information to be sent to you;
- Apply for more information regarding our products or services;
- Subscribe to our website resources;
- Make a direct enquiry through our website; or
- Register for our customer portal.
We may also collect information from the following sources:
- From publicly accessible sources, e.g. Companies House;
- Directly from a third party, e.g. trade shows and exhibitions where the organizer has contracted with C&R to provide participant data for those that have consented to their information being shared;
- Sanctions screening providers;
- Credit reference agencies;
- Customer due diligence providers;
- From cookies on our website – please see our cookie policy for more information;
- Through automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems;
- Technical data from analytics providers such as HubSpot (based outside the EEA), advertising networks such as Google and LinkedIn (based outside the EEA); and search information providers such as Google (based outside the EEA); and
- Information relating to your identity and your contact details from publicly available sources, such as LinkedIn or Companies House.
As you interact with our website, we may automatically collect technical and profile data based on your equipment, site interactions and usage patterns. We collect this personal data by using cookies and other similar technologies, for more information, please see our cookie policy.
Under data protection law, we can only use your personal data if we have a proper reason, for example, where you have given consent, to comply with our legal and regulatory obligations, for the performance of a contract with you or to take steps at your request before entering into a contract, or for our legitimate interests or those of a third party. A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests to balance our interests against your own.
The table below explains what we use your personal data for and why when you use the Platforms below and when we collect personal data via our website.
| Purpose for using personal data | Our reasons | Website | Customer Portal | Debt Manager | Placements Plus | Agency Network |
|---|---|---|---|---|---|---|
| Providing our products and services to you | To perform our contract with you or to take steps at your request before entering into a contract | Yes | Yes | Yes | Yes | Yes |
| Preventing and detecting fraud against you or us. | For our legitimate interest and those of our Clients, to minimise fraud that could be damaging for you and/or us | Yes | Yes | Yes | Yes | Yes |
| Conducting checks to identify our customers, verify their identity and screening for financial and other sanctions or embargoes | To comply with our legal and regulatory obligations | No | Yes | Yes | Yes | Yes |
| To enforce legal rights or defend or undertake legal proceedings | To comply with our legal and regulatory obligations to protect our business, interests and rights | Yes | Yes | Yes | Yes | Yes |
| Ensuring our business policies are adhered to, for example, policies covering security and use of our Platforms and services | For our legitimate interests and those of our Clients to make sure we are following our own internal procedures and securing our Platform and services | Yes | Yes | Yes | Yes | Yes |
| Operational reasons, to assist with improving efficiency, training and quality relating to our Platforms and services | For our legitimate interests, those of our Clients and users of our services and products to be as efficient as we can so we can deliver the best products and services to you at the best price | Yes | Yes | Yes | Yes | Yes |
| Ensuring the confidentiality of commercially sensitive information | For our legitimate interests to protect our trade secrets and other commercially valuable information of our Clients | Yes | Yes | Yes | Yes | Yes |
| Statistical analysis to help us manage our business, for example, in relation to the analysis of our financial performance, customer base, product range or other efficiency measures | For our legitimate interests to be as efficient as we can so we can deliver the best products and services to you at the best price | Yes | Yes | Yes | Yes | Yes |
| Preventing unauthorised access and modifications to our systems, services and our Platforms | For our legitimate interests to prevent and detect criminal activity that could be damaging for you and/or us | Yes | Yes | Yes | Yes | Yes |
| Protecting the security of systems, our Platforms and data used to provide our Platforms and services | To comply with our legal and regulatory obligations. We may also use your personal data to ensure the security of systems, our Platform and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests to protect systems, our Platforms and data and to prevent and detect criminal activity that could be damaging for you and/or us | Yes | Yes | Yes | Yes | Yes |
| Updating and enhancing customer records | For our legitimate interests, to ensure that we can keep in touch with our clients and potential clients about existing new products and services | No | Yes | Yes | Yes | Yes |
| Ensuring personal data we hold about Clients is accurate and up to date | To perform our contract with you when you are our Client to ensure we can contact you regarding services and products provided under our contract with you | No | Yes | Yes | Yes | Yes |
| Marketing our services to existing and former Clients, third parties who have previously expressed an interest in our products and services and to third parties with whom we have had no previous dealings | For our legitimate interests to promote our business to potential, existing and former Clients | Yes | Yes | Yes | Yes | Yes |
| Using your personal data to carry out credit reference agency, sanctions screening, anti-money laundering and associated checks via external credit reference agencies and sources | To comply with our legal and regulatory obligations | No | No | No | No | No |
| External audits and quality assurance checks for the purposes of ensuring we are complying with our contracts with Clients | To perform our contract with our Clients | Yes | Yes | Yes | Yes | Yes |
| External audits and quality assurance checks for the purposes of ensuring our services are provided in accordance with applicable laws and regulations | To comply with our legal and regulatory obligations | Yes | Yes | Yes | Yes | Yes |
| To share your personal data with our group companies and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency | For our legitimate interests to protect, realise or grow the value in our business and assets | Yes | Yes | Yes | Yes | Yes |
We do not collect or process any special category data about you.
We will use your personal data to send you updates by email or telephone about our products, including exclusive offers, promotions or new products. If we rely on consent to use your personal data for marketing purposes, we will ask for this separately and clearly. You have the right to opt out of receiving marketing communications at any time by using the “unsubscribe” link in emails. Where you opt out of receiving marketing messages, opting out will not apply to other communications which we are required to send by law or in connection with the provision of our products and services.
We may ask you to confirm or update your marketing preferences if you ask us to provide further products or services in the future, or if there are changes in the law, regulation, or the structure of our business.
Personal data may be held at our offices and those of our group companies and by third party agencies, service providers, representatives and agents as described above, see section “Who we share your personal data with” above. Some of these third parties may be based outside the UK/EEA. For more information, including on how we safeguard your personal data when this happens, see section “Transferring your personal data out of the UK and EEA” below
We will not keep your personal data for longer than we need it for the purpose for which it was collected. Different retention periods apply for different types of personal data.
If you no longer have an account with us or we are no longer providing products or services to you, we will usually delete or anonymise your account data after seven years. Following the end of the of the relevant retention period, we will delete or anonymise your personal data. You can contact us and/or our Data Protection Officer by email via privacy@crsoftware.com if you have any questions about our retention periods for your personal data.
It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA in order to provide our products and services. In all cases we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data. We will also transfer your personal data from the EEA to the UK.
We transfer your personal data in accordance with data protection laws to our service providers located outside the UK and the EEA to the following countries: Canada, United States of America, South Africa, Malaysia, India, Chile, New Zealand, Singapore, Australia, Thailand and Mexico.
Under data protection laws, we will only transfer your personal data to a country outside the UK and/or the EEA where:
- The UK government has decided the particular country ensures an adequate level of protection of personal data (known as an “adequacy regulation”) further to Article 45 of the UK GDPR;
- In the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an “adequacy decision”) further to Article 45 of the EU GDPR;
- There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
- A specific exception applies under relevant data protection law.
Where we transfer your personal data outside the UK and/or the EEA, we do so on the basis of an adequacy regulation or where this is not available, legally-approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR and/or EU GDPR. In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK and/or the EEA unless we can do so on the basis of an alternative mechanism or exception provided by UK or EU data protection law and reflected in an update to this Policy.
Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section on “Changes to this Policy” below.
You have the following rights, which you can exercise free of charge:
- Access: The right to be provided with a copy of your personal data.
- Rectification: The right to require us to correct any mistakes in your personal data.
- Erasure (the right to be forgotten): The right in certain situations to require us to delete your personal data.
- Restriction of processing: The right to require us to restrict processing of your personal data in certain circumstances, for example, if you contest the accuracy of the data.
- Data portability: The right in certain situations to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party.
- To object: The right to object at any time to your personal data being processed for direct marketing (including profiling). The right to object in other situations to our continued processing of your personal data, for example, processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims.
- Not to be subject to automated individual decision making: The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
- The right to withdraw consent: If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time. You may withdraw consent by clicking on any unsubscribe links in communications we send to you. Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.
For more information on each of those rights, including the circumstances in which they apply, please contact us using the details in the section ‘How to contact us’ below.
If you would like to exercise any of those rights, please contact us please contact us by using the contact details in the section ‘How to contact us’ below and provide enough information to identify yourself, for example, your full name, address and customer number, any additional identity information we may reasonably request from you, let us know what right you want to exercise and the information to which your request relates.
We have appropriate security measures to prevent personal data from being lost accidentally, used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Dispute Resolution: If a privacy complaint or dispute relating to personal data received by C&R Software in reliance on the EU-US Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: Submit a Dispute Concerning a VeraSafe Participant. If a complaint or dispute cannot be resolved through our internal process, we have also agreed to cooperate with the EU and UK data protection authorities and Information Commissioner and to participate in the dispute resolution procedures of the panel established by such data protection authorities.
Binding Arbitration: If your dispute or complaint related to your personal data that we received in reliance on the EU-US Data Privacy Framework cannot be resolved by us, nor through the dispute resolution mechanism mentioned above, you may have the right to require that we enter into binding arbitration with you under the EU-US Data Privacy Framework “Recourse, Enforcement and Liability” Principle and Annex I of the EU-US Data Privacy Framework.
This website contains links to third-party websites, plugins and applications. Clicking on those links and enabling those connections may allow third parties to collect or share personal data about you. We do not control these third-party websites and we are not responsible for their privacy policies or the use of your personal data. When you leave our website, we encourage you to read the privacy policy of every website you visit.
Please contact us if you have any queries or concerns about our use of your personal data using the contact details in the section “How to contact us” below. We hope we will be able to resolve any issues you may have. You also have the right to lodge a complaint with the UK Information Commissioner’s Office.
We may change this Policy from time to time, when we do make changes, we will inform you via our website by posting an updated copy of this Policy.
We take reasonable steps to ensure your personal data remains accurate and up to date. Please let us know if any of the personal data you have provided to us has changed, please contact us using the contact details in the section “How to contact us” below. You can also update your personal data yourself via the Platform you are using, for example Debt Manager or PlacementsPlus.
You can contact us and/or our Data Protection Officer by email via privacy@crsoftware.com if you have any questions about this Policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.