Privacy Policy

1. Introduction – Who We Are and How to Contact Us

PENFOLD SAVINGS LIMITED or 'us' or 'we' refers to the owner of the Website whose registered office is Penfold, WeWork Moor Place, 1 Fore St Ave, London EC2Y 9DT. Our company registration number is 11668244. The term 'you' or 'your' refers to the user or viewer of our Website.

To contact us, please email us at hello@getpenfold.com or via Live Chat on our website. 

1.1 Data Controller

We are the controller of and are responsible for your personal data.

However, our custodian partner Seccl Custody Limited (registered number 10430958) will also be owners or controller of the data you pass through us to them for the purposes of operating your Penfold Pension. We will let you know any other entity that will be the controller for your data when you open a Penfold Pension.

1.2 Data protection manager

We have appointed a manager who is responsible for overseeing the application of this privacy policy. If you have any questions about this privacy policy, including any requests to exercise, please contact us using the details set out in the Contact Us section of our Website.

2. Purpose of this privacy policy

This privacy notice sets out the processing practices in relation to personal data which is collected, stored and retained through the use of this Website and any other electronic communications by us, which is the data controller for that data.

Your right to privacy is important to us. This privacy notice sets out how we use and protect any information that you give us when you use this website. We are keen to strike a fair balance between your personal privacy and ensuring that you obtain full market value from the internet and other products and services we may market to you.

If you do not agree to the following policy, you may wish to cease viewing/using this Website, and or refrain from submitting your personal data to us. This may mean we cannot provide services to you, and we may have to close any pension plans or accounts.

We may change this notice from time to time by updating this policy. You should check the Website page it is located on, from time to time to ensure that you are happy with any changes.

For the purposes of meeting the Data Protection Act 2018 territorial scope requirements, the United Kingdom is identified as the named territory where the processing of personal data takes place.

3. Your rights

If you have any requests concerning your personal data or any queries with regard to this notice, please contact us through the Contact Us section of our Website. We are registered with the Information Commissioner’s Office (ICO); our Registration number: ZA505781. Information on the Data Protection Act 2018 and the General Data Protection Regulation (the GDPR) is also available on the Information Commissioner's website at https://ico.org.uk/. Under the GDPR, your individual rights in relation to your personal data are as follows (you can read more about your rights in detail at the ICO's individual rights page;

• the right to be informed about the personal data being processed,
• the right of access to the data,
• the right to rectification,
• the right to erasure,
• the right to restrict processing,
• the right to data portability (to receive electronic copy of your personal data),
• the right to object to processing of your personal data and
• the right not to be subject to automated decision-making. including profiling.

4. Subject access rights

You have a right to a copy of and details of the personal data we hold about you. To obtain a copy of this, please contact us using the details set out in the Contact Us section of our Website. No charge will normally be made by us for providing this information. If your request is considered to be repetitive, wholly unfounded and/or excessive, we are entitled to charge a reasonable administration fee.

5. Personal data we collect

We collect your personal data typically when you register for our services, make a purchase, enter a sales promotion or otherwise interact with us. Below are examples of the categories of the data we collect on you.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes first name, maiden name, last name, national insurance number username or similar identifier, title, date of birth and gender.
• Contact Data includes billing address, delivery address, email address and telephone numbers.
• Financial Data includes bank account and payment card details.
• Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
• Usage Data includes information about how you use our website, products and services.
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

6. If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

7. Purposes for which we will use your data

We have set out in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity: To register you as a new customer

• Type of data: Identity, Contact
• Lawful basis for processing including basis of legitimate interest: Performance of a contract with you

Purpose/Activity: To process and deliver your instructions and Penfold Pension, and orders including (a) Manage payments, fees and charges, (b) Collect and recover money owed to us our partners or due to you, (c) give effect to your instructions

• Type of data: Identity, Contact, Financial, Transaction, Marketing and Communications
• Lawful basis for processing including basis of legitimate interest:Performance of a contract with you. (Necessary for our legitimate interests (to recover debts due to us)

Purpose/Activity: To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy, (b) Asking you to leave a review or take a survey

• Type of data: Identity, Contact, Profile, Marketing and Communications
• Lawful basis for processing including basis of legitimate interest: Performance of a contract with you. Necessary to comply with a legal obligation. Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

Purpose/Activity: To enable you to take part in marketing activity including a prize draw, competition or complete a survey

• Type of data: Identity, Contact, Profile, Usage, Marketing and Communications
• Lawful basis for processing including basis of legitimate interest: Performance of a contract with you. Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

Purpose/Activity: To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

• Type of data: Identity, Contact, Technical
• Lawful basis for processing including basis of legitimate interest: Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). Necessary to comply with a legal obligation

Purpose/Activity: To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

• Type of data: Identity, Contact, Profile, Usage, Marketing and Communications, Technical
• Lawful basis for processing including basis of legitimate interest: Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

Purpose/Activity: To use data analytics to improve our website, products/services, marketing, customer relationships and experiences

• Type of data: Technical, Usage
• Lawful basis for processing including basis of legitimate interest: Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

Purpose/Activity: To make suggestions and recommendations to you about goods or services that may be of interest to you

• Type of data: Identity, Contact, Technical, Usage, Profile, Marketing and Communications
• Lawful basis for processing including basis of legitimate interest: Necessary for our legitimate interests (to develop our products/services and grow our business)

8. Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

8.1 Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or opened an account with us and you have not opted out of receiving that marketing.

8.2 Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

8.3 Opting out

You can ask us or third parties to stop sending you marketing messages at any time by letting us know through the Contact Us section of our website or by following the opt-out links on any marketing message sent to you.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of for other purposes.

9. Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

10. Technical Information

For the most part, you may visit our website without having to identify yourself. However, certain technical information is normally collected by us as a standard part of our services. This information relates to your IP address, information about your device and other technical information your browser provides us with, and data about your use of our website (such as when you use the website and how you interact with its content). If you call us, additional information such as your telephone number may be saved as a standard part of that communication.

11. Information you provide to us

To allow us to provide you with the products and services you have requested, or to communicate with you, we may ask you to provide us with certain information such as your name, date of birth or age, email address, home or postal address, or financial situation. In registering for our services, you may create usernames, passwords and other credentials that we use to authenticate you and to validate your actions. You may send us copies of your personal identity documents or details about other financial products to which you may be a party.

Our services may ask you to submit information about other people, for example, members of your family or household, or a beneficiary of a product. You may also indirectly provide us with information through your consents, preferences and feedback.

11.1 Your transactions with us

We collect details of the queries or requests you have made, the products and services provided (including delivery details), purchasing details (including payments made, credit card details, billing address, credit checks and other such financial information), details of agreements between us, records of contacts and communications, information and details relating to the content you have provided us with and other such transactional information. We may, in accordance with applicable law, record your communication with our customer care team or with other similar contact points.

11.2 Location data

Certain services may involve the use of your location data. Use of your location data is, however, subject to your prior consent for each service.

Personal data obtained from third parties. We may obtain personal data about you from third party sources such as social media analytics, and from the following partners: Contego Solutions Limited (trading as “Northrow”) (company registered number 7358038).

11.3 How do we secure your personal data?

We have robust procedures in place within our business:

• to protect data against accidental loss,
• to prevent unauthorised access, use, destruction or disclosure,
• to ensure business continuity and disaster recovery where required,
• to restrict access to personal information,
• to conduct privacy impact assessments in accordance with the law and our business policies,
• to train staff and contractors on data security, and
• to manage third party risks, through use of contracts and security reviews.

11.4 How long do we keep personal data?

We will keep your personal data only for so long as it is reasonable for us to do so, depending upon the nature of the data and our processing, and the grounds upon which we collected it. In general, we will delete redundant account information within 14 days of our relationship ending. However, we are obliged to keep certain records of our relationship to comply with the FCA’s and other regulatory rules, in which case we will instead restrict access through our archiving processes. Subject to any actual or potential legal claim or regulatory investigation, the maximum time that we envisage retaining any of your information is seven years from the date our relationship with you ends, after which time it will be destroyed.

Information we use for marketing purposes will be kept by us until you notify us that you no longer wish to receive this information. If you do notify us that you no longer wish to receive marketing information, we will keep an encrypted version of your contact information to ensure we respect your wishes.

12. Other websites

Our website may contain links to other websites which are outside the control of Penfold and are not covered by this privacy notice. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their privacy notice which may be different to the privacy notice of Penfold. You should exercise caution and look at the privacy notice applicable to the website in question.

13. Transfers of your personal data

We may transfer your personal data to the third parties noted below, or as required by law.

Material service providers. We may transfer your personal data to the following third parties who provide us with a material service:

• Seccl Custody Limited (registered number 10430958), to provide custody services for your Penfold Pension;
• Generic service providers (data processors). We may transfer your personal data to third parties who process personal data on our behalf to enable the efficient technical and logistical provision of our services. These service providers may, for instance, supply us with cloud data storage, data security services, customer relationship management software, and other support services. We may substitute a technical or logistical service provider from time to time. Such parties are generally not permitted to use your personal data for any other purposes than that for which your personal data was collected, and we require them to act consistently with applicable laws and this Privacy notice as well as to use appropriate security measures to protect your personal data.

Event-driven transfers. We may transfer your personal data to third parties in certain events where it is necessary to protect your, or our, legitimate interests. This includes the cessation, sale or transfer of our business, civil or criminal legal, or regulatory, proceedings or insurance claims.

International transfers. Our products and services may be provided using resources and servers located in various countries around the world. Therefore, your personal data may be transferred outside the country where you use our services, including to countries outside the European Economic Area (EEA). We will transfer data in such circumstances only if the level of data protection in that jurisdiction is deemed adequate and if there are appropriate safeguards in place to protect your privacy.

Given that the Internet is a global environment, using the Internet to collect and process personal data necessarily involves the transmission of information on an international basis. Therefore, by browsing the Website and communicating electronically with us, you acknowledge and agree to processing personal data in this way.

14. Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see Use of Cookies.

15. Use of cookies

A cookie is a small piece of code, sent from a website to a user's internet browser, which allows that website to track the user's previous activity when they return to that website. This allows us to provide you with the experience that you expect from us and lets us continually improve our service.

You can block cookies by changing the settings on your browser, but if you do you will not be able to access all or parts of our website. The types of cookies we may use are:

• Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website. or make use of e-billing services.
• Analytical/performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
• We do not have any control over the use of cookies by third parties, including our partners and affiliates. To manage cookies from third party websites, you will need to visit their site to adjust your settings.

If you want more information about how cookies operate, or how to manage them, please visit About Cookies.

Use of this website is subject to our terms of use.