Privacy notice

When we say “we”, “us”, or “Nucleus” in this policy, we mean all the companies that make up Nucleus.  They are:

• Nucleus Financial Platforms Limited
  
• Nucleus Financial Group Limited
• Nucleus Financial Services Limited
• James Hay Administration Company Limited
• James Hay Wrap Managers Limited
• James Hay Services Limited
• The IPS Partnership Plc
• IPS Pensions Limited
  

Nucleus is the controller of the personal information we process, unless otherwise stated.
Our postal and email addresses are:

Data Protection Officer
Nucleus Financial Platforms Limited
Greenside
12 Blenheim Place
Edinburgh
EH7 5JH

dataprotection@nucleusfinancial.com

We use information provided to us through interactions with you, as part of your application process, and the day to day running of your product. This can be directly from you, from your financial adviser or third parties you instruct on your behalf or other third parties such as credit reference agencies. This can also be through our online platforms, social media, or third-party links.

In general terms, we collect and use your personal information to:

• Deliver our service and meet our legal requirements.
  
• Verify your identity where this is required.
  
• Contact you, where we are allowed, by post, email, or telephone about important changes to our website, products, or services.
  
• Improve our services or products.
  
• Provide additional support or bespoke services to customers where appropriate.
  
• Maintain our records.
  
• Process financial transactions.
  
• Prevent and detect crime, fraud, or corruption.
  

Nucleus has in place appropriate security measures designed to keep your information secure, preventing it from being lost, stolen, altered, used, accessed, or disclosed in an unauthorised way. 

This includes:

• Basic information about you such as name, date of birth, gender, national insurance number, marital status, and occupation.
  
• Your contact details such as address, post code, email, country of residence.
  
• Documentation confirming your identity, tax residency, and legal authority, including photographic identification.
  
• Your nationality or dual nationality.
  
• Information connected to your product or service you use e.g. bank account details.
  
• Financial details including bankruptcy, tax status, pension information.
  
• Information from fraud agencies, credit reference agencies, electoral roll, and other publicly available information.
  
• Details of other people provided as part of your product or services such as joint applicants, next of kin, power of attorney, children, or beneficiaries.
  
• Your correspondence with us such as letters, emails, calls or meetings.
  
• Images of you collected by photography or CCTV should you visit our offices or attend our events.
  
• Information collected automatically via cookies when you visit one of our websites or use one of our online platforms. See separate Cookie Notice for additional information.
  
• Information relating to your health only where it is necessary to provide a product or service to you or where required by a legal obligation.
  

Special Categories of Data

We may also collect and use special categories of data, including health data and criminal data. This includes:

• Medical conditions, sickness records, and information from your doctor to allow us to decide whether or not to make an early pension payment due to ill health.
  
• Information you provide if you are vulnerable or where we suspect you are vulnerable.  We will only record this with your explicit consent which you can withdraw at any point (see your rights for more information).
  
• Information related to any politically exposed person, terrorist, or sanctions that you may be subject to.  These checks can also contain criminal convictions or offences and are all used to decide whether or not to continue our relationship with you.
  
• If a court order is received containing criminal convictions, such as fraud.
  
• Where we are contacted by law enforcement agencies where a customer has committed an offence or is under investigation.
  

Aggregated data

We also process aggregated data for any purpose. This data may be derived from your personal information, but as this data does not directly or indirectly reveal your identity, it is outside the scope of GDPR. If, however, we combine or connect this aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as your information.

Whenever we use your information we must have something called a “lawful basis” for what we do. The different lawful bases we rely on are:

• Consent – you have told us you are happy for us to use your information for specific purpose(s) e.g., direct marketing. You can withdraw your consent at any time by contacting us.
  
• Legitimate Interest – the use of your information is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
  
• Performance of a contract – we must use your information to be able to provide you with one of our services or products.
  
• Legal obligation - we are required to use your information by law.
  

We may share your information with others, including third party service providers and other entities in the Nucleus Financial Platforms Ltd group and its parent companies, subject to applicable laws. These third parties include:

• Your financial adviser.
  
• Companies we have chosen to support us in the delivery of our products and services, for example, IT providers, consultants, gift services, and companies that provide servicing and administration services.
  
• His Majesty’s Revenue and Customs, regulators, and other authorities.
  
• Companies you ask us to share information with.
  
• Credit Reference Agencies to carry out anti-money laundering or identity verification services.
  
• RL360 if you invest in our offshore bond.
  
• Sanlam Life and Pensions UK Ltd if you invest in the onshore bond.
  
• Scottish Friendly Life Assurance Society Ltd if you have invested in the Scottish Friendly onshore bond or Nucleus APP Pension Account.
  
• Pension trustees if you have invested in a SIPP.
  
• Fund managers or their appointed representatives of the relevant fund(s) you have invested in.
  
• Discretionary Fund Managers if you have elected to use that service.
  
• Banks for which we use client banking services.
  
• Market research companies for the purpose of improving our services.
  
• Any other third party permitted by law and in the following circumstances:
  • To protect the security of our business.
  • To comply with court orders.
  • If we sell, merge, restructure, or otherwise reorganise our business.

Credit Reference Agencies

As stated above, we may conduct checks using one or more credit reference agencies prior to you opening an account with us and during your relationship with us. If we use Experian, please note:

• Experian may check your details against any database to which they have access in order to carry out the verification service they provide.
  
• A non-credit footprint is left by Experian.
  
• A record of the decision made is available to us for audit purposes.
  

Further information about Experian’s service and data protection can be found at www.experian.co.uk. Other credit reference agencies undertake similar actions.

We may also transfer, store, or process your information outside the UK. We make certain your information is protected by ensuring at least one of the following safeguards is implemented:

1. Transferring your information to countries that have been deemed to provide an adequate level of protection.
   
2. Using specific privacy contractual clauses with service providers to give your information the same level of protection that it has in the UK.
   

Where no adequate safeguards can be taken, your information will only be transferred outside the UK in the following circumstances:

1. You have explicitly consented after having been informed of the potential risks.
   
2. The transfer is required for the performance of a contract with us, for example, you decide to invest in an investment that is managed outside the UK.
   

We only keep your information for as long as is necessary to perform our statutory and legal obligations. These will vary dependent on the particular circumstances. Generally, we will retain information about you for a period of seven years following the termination of the contractual relationship between us, unless there are specific circumstances which mean we need to retain your information for longer. This could include where the record is relevant for legal proceedings, a criminal investigation, or where the information is legally required to be kept longer, for example, information relating to a pension product.

The right to access

You have a right to request that we provide you with a copy of the personal information that we hold on you. You also have the right to be informed of (a) the source of your personal information; (b) the purposes, legal bases, and methods of processing; (c) the data controller’s identity; and (d) the entities or categories of entities your personal information may be transferred to.

The right to rectification

You have the right to request that we rectify any inaccurate personal information. We may verify the accuracy of the personal information before rectifying it.

The right to erasure

You can request that we delete your personal information, but only where:

• It is no longer required for the purposes for which it was collected.
  
• You have withdrawn your consent (where the processing is based on consent).
  
• Following a successful right to object (see below).
  
• It has been processed unlawfully.
  
• To comply with a legal obligation to which you are subject.
  

We are not required to delete your information where the processing is necessary:

• For compliance with a legal obligation.
  
• For the establishment, exercise, or defence of legal claims.
  

The right to restrict the processing

You can request that we restrict your personal information, but only where:

• Its accuracy is being contested, to allow us to verify its accuracy.
  
• The processing is unlawful, but you do not want it deleted.
  
• It is no longer needed for the purposes for which it was collected, but we need it to establish, exercise, or defend a legal claim.
  
• You have exercised your right to object, and we are verifying our legitimate interests.
  

The right to object

You can object to any processing where we process under legitimate interest, providing you believe your fundamental rights and freedoms outweigh our legitimate interests.

If you raise an objection, we will need to demonstrate we have compelling interests to continue to process your information.

The right to portability

You have the right to ask us to provide you with an electronic file containing all your personal information we hold about you.

Rights regarding automated decision making

We use automated decision making, including profiling, in certain circumstances, such as when it is in our legitimate interest to do so, or where we have a right to do so because it is necessary for us to enter into and perform a contract with you.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal impact on you.

Please contact us in any of the ways set out in the contact information and further advice section if you wish to exercise any of these rights.

We ask that you please attempt to resolve any complaints about how we handle personal information with us first, but you also have the right to lodge a complaint with the Information Commissioner’s Office:

Online: https://ico.org.uk/make-a-complaint/

By phone: 0303 123 1113

By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF