The Wellesley Group Privacy Policy

This policy has been prepared to meet the requirements of the EU General Data Protection Regulation, the UK's Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. It explains why we process your personal data, what we do with your personal data, how we look after your personal data and what your rights are over your personal data.

It is important that you read this policy together with any other privacy notice or fair processing notice we may provide at the point of collecting or processing your personal data. This policy supplements those notices and is not intended to override them. Please read it in conjunction with the Terms of Website Use: https://www.wellesley.co.uk/website-terms-of-use and any other documents referred to in it ("Terms").

Our site, products and our services are not intended for use by children and we do not knowingly process personal data relating to children.

When we refer to "personal data" we mean information about an individual from which that person can be identified. This does not include data where the individual's identity has been removed.

We may collect, use, store and transfer the following types of data:

We will not necessarily collect all of the above data about you. For example, if you are merely visiting our site then we will usually just collect Technical data about you and your device. If you decide to sign up for newsletters and offers then we will collect Contact, Marketing and Communications data from you. Where you decide to become an investor then we would need to collect the above as well as ID Verification, Transaction and Account data.

The above data may not always be considered personal data. For example, much of the Technical data we collect is aggregated data, and it is not usually classified as personal data because it does not reveal your identity to us. If we link aggregated data to your personal information, it will be treated as personal data in line with this policy.

We do not process any "special categories" of personal data about you (i.e. information about your race, ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).

We try to be sure that the personal data we hold about you is accurate, and so please get in touch with us if your personal data changes so we can update our records. You can contact us using the details at the beginning of this policy.

We collect personal data about you from a number of different sources depending on who you are and what personal data it is. For example, we collect personal data:

• From you directly: when you submit an application form to us; purchase products or services from us or the Wellesley Group; and correspond with us by post, phone, email, through social media, or otherwise.
• From third parties: such as information you have asked us to collect on your behalf; providers of payment services where you make payments to us; and the Share Centre if you purchase a Wellesley Group product via them.
• From publicly available sources: such as Companies House, the Land Registry, Bankruptcy Register and the Electoral Register.
• From your device: when you access our site.

Cookies

Our site uses cookies to automatically collect data, including personal data, in order to help us improve future functionality and to distinguish you from other users. For more information about the cookies we use on this site, what data they collect and how to block them, please see our Cookie Policy: https://www.wellesley.co.uk/cookie-policy/.

On visiting the site, if you choose to access the investment portal, (https://invest.wellesley.co.uk/) you may be directed to accept additional cookies. Further details are available on our Cookie Policy.

We will only use your information where we have a lawful basis to do so. We set out below how we plan to use your personal data and the lawful basis that we rely on.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. If you need details about the specific legal ground we are relying on to process your personal data then please contact us. If we need to process your personal data for a different purpose that is not compatible with the original purpose, then we will let you know. Please note that we may also process your personal data for a different purpose than listed above and without your consent where it is necessary for us to comply with our legal obligations.

We only directly market to you by SMS and email where it is legally allowed, for example where you have consented, or where you have purchased (or negotiated to purchase) a product from us and did not chose to opt out. When directly marketing to you we may use a combination of the data we hold about you to form a view on what we think you would be interested in.

We only want to market to those who actually want to hear from us. You can ask us to stop sending you marketing messages at any time by:

• Selecting the opt-out link on any marketing message sent to you; or
• Emailing [email protected] with your request.

We may share your personal data with the following third parties for the purposes set out in the table above:

• Wellesley Group companies;
• Services providers including identity verification providers, anti-money laundering providers, data storage and shredding services providers.
• Financial platform providers (e.g. the Share Centre and Third Platform Services).
• Financial or payment service providers.
• Other banks and financial institutions who you authorise us to deal with in order to switch your financial services (e.g. The Share Centre).
• Contractors who help us to provide you with services, such as IT, cloud, telecommunications, security, client relationship management and system administration services.
• Marketing, communications, advertising, public relations suppliers and analytics companies, including Google Analytics. You can find additional information of our use of Google Analytics referenced at the following link: https://www.google.com/policies/privacy/partners/.
• Professional advisers, such as auditors, accountants and solicitors.
• Our Group Companies and ultimate shareholders.
• Your professional advisers (if you have requested and authorised us to do so).
• HM Revenue & Customs, National Crime Agency, local authorities, law enforcement agencies, regulators and other authorities (both inside the UK and outside of the UK).
• The Financial Conduct Authority, Bank of England, and the Financial Ombudsman Service in relation to our regulatory obligations as a financial institution.
• Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.  If a change happens to our business, the new owners may use your personal data in the same way as set out in this policy.

Credit Reference Agency contact details

Credit Reference Agencies and other agencies (CRAs): we may use one or more of the main CRAs when carrying out searches, for further details about how CRAs use and share personal data you can contact them as follows:

TransUnion (formerly Callcredit)
One Park Lane
Leeds
LS3 1EP
https://www.transunion.co.uk/
https://www.transunion.co.uk/legal-information/bureau-privacy-notice

Equifax Ltd
Customer Service Centre
PO Box 10036
Leicester
LE3 4FS
https://www.equifax.co.uk

https://www.equifax.co.uk/crain

Experian Ltd
Consumer Help Services
PO Box 9000
Nottingham
NG80 7WF
https://www.experian.co.uk
https://www.experian.co.uk/crain

Third Platform Services Limited

We have entered into an agreement with Third Platform Services Limited, (Third Platform Services), on behalf of ourselves and each of our clients whereby Third Platform Services has agreed to provide clearing and settlement, safe custody and associated services for our clients. Third Platform Services may also provide additional services such as investment dealing services as we may from time to time agree with Third Platform Services (clearing and settlement, safe custody and associated services, and any such investment dealing services, together “TPS Services”).

Third Platform Services may, in accordance with its privacy policy (thirdfin.com/documents) use, store or otherwise process personal information provided by you or us in connection with the provision of the TPS Services for the purposes of providing the TPS Services, administering your account or for purposes ancillary thereto. In the UK, Third Platform Services operates in accordance with, applicable data protection legislation (the Data Protection Laws). Our agreement with Third Platform Services sets out certain obligations on Third Platform Services as the data processor of your personal information, as required by Data Protection Laws.

The information Third Platform Services holds about you is confidential and will not be used for any purpose other than in connection with the provision of the services. Information of a confidential nature will be treated as such provided that such information is not already in the public domain. Third Platform Services will only disclose your information to third parties in the following circumstances:

• where required by law or if requested by the FCA or any other regulatory authority or exchange having control or jurisdiction over Third Platform Services (or any associate);
• to investigate or prevent fraud or other illegal activity;
• in connection with the provision of services to you;
• for purposes ancillary to the provision of the services or the administration of your account, including, without limitation, for the purposes of credit enquiries or assessments;
• if it is in the public interest to disclose such information;
• at your request or with your consent.

This is of course subject to the proviso that Third Platform Services may disclose your information to certain permitted third parties, such as members of its own group, its service providers and its professional advisers who are bound by confidentiality codes.

Third Platform Services will not sell, rent or trade your personal information to third parties for marketing purposes without your express consent.

The disclosures referred to above may include transfer of personal data outside the European Union, including to countries which may not have the benefit of equivalent data protection legislation (and have not been determined by the European Commission to provide adequate protection for person data). Third Platform Services will only transfer personal data to persons in such countries lawfully, and in particular they will (except where necessary to perform a contract with you or to implement pre-contract measures at your request or perform or conclude a contract with a third party in your interest) only transfer personal data to agents and service providers and other persons in these countries subject to one of the following appropriate safeguards:

• the recipient is in a country or is an international organisation which has been deemed to provide an adequate level of protection for personal data by the European Commission;
• Third Platform Services uses a specific contract between it and the recipient in a form approved by the European Commission for that purpose;
• the transfer is effected under binding corporate rules approved by a relevant data protection authority;
• the transfer is to the USA and the recipient is within the EU-US Privacy Shield; or
• the Data Subject has explicitly consented to the transfer, such explicit consent meeting the requirements of the Data Protection Laws.

Third Platform Services will always take steps to ensure that your information is used by third parties in accordance with its privacy policy.

In accordance with Data Protection Laws you are entitled to a copy of the information Third Platform Services hold about you. In the first instance, you should direct any such request to us and we will pass your request on to Third Platform Services. You should let us know if you think any information Third Platform Services holds about you is inaccurate and we will ask Third Platform Services to correct it.

Third Platform Services will not keep your personal data for longer than is permitted by applicable law and regulation or is otherwise required for the purpose of its processing.

International transfers of your personal data

We may share your personal data with (or provide access to) third parties that are based outside of the European Economic Area (EEA). Whilst most of our suppliers are based in the EEA, we do use suppliers located outside, including in the United States of America and India.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• We may use specific contracts approved by the European Commission which give personal data the same protection it has in EEA.
• Where we use providers based in the USA we may alternatively transfer your data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data as is provided in the EEA.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

As a financial institution, we take the security of your data very seriously. We have implemented a number of reasonable and necessary security measures in order to try and prevent unauthorised access. For example:

• We use entry controls in our offices to control who can access secure areas.
• We limit who can access our computer network, and certain parts of our computer network, to specific personnel.
• We put agreements in place with third parties we work with to regulate the processing, security and confidentiality of data.
• We regularly review, monitor and audit our suppliers.

If we become aware of a data breach, we will notify the Information Commissioner's Office in a timely manner. We may also notify you if we believe the breach is serious.

We store your personal data for different periods of time depending upon the purposes for which we collected it and we do not store your personal data for longer than is necessary to fulfil these purposes. We retain your personal data throughout our relationship with you, and usually for up to 7 years after your final investment with us has finished or you have closed your account.

Please be aware that as a financial institution, we may need to retain your personal data for longer in order to comply with our legal, regulatory and accounting obligations.

In order to determine how long we store your personal data for, we take into consideration why we need to continue to store your personal data, whether we can achieve the same result without having access to your data, and what the potential risk is if there is a data breach that affects your data.

Occasionally we may anonymise data which means that it is no longer associated with you. We do this for statistical or research purposes so we can improve the services we offer to you. We can use anonymous data indefinitely without further notice to you.

You have the following rights over your personal data:

• To ask us for details of the personal data we hold and process about you (this is usually called a subject access request).
• To ask that any inaccurate information we hold about you is corrected.
• To ask that we delete personal data we hold about you
• To ask that we stop using your personal data for certain purposes.
• To ask that we do not make decisions about you using completely automated means.
• To withdraw your consent.
• To ask that we give you the personal data we hold about you, or (where technically feasible) that we give this personal data to a third party chosen by you, in a commonly-used machine-readable format.

These rights are not available to everyone all the time. Some are subject to exemptions, and so we may not always be able, or required, to comply with your request to exercise these rights. Further details about your rights can be found on the Information Commissioner's website: https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/

To exercise any of the above rights, please contact us using the details included at the start of this policy and provide us with as much information as you can so we can respond as soon as we can. We may ask you to provide proof of identity (for example, your passport or driving licence) before we fully respond as we have to be sure we are giving the correct personal data to the correct individual.

We usually respond to data subject requests within one month, but it can take longer if your request is particularly complex or if you have made a number of requests. You will not usually have to pay a fee, but we reserve the right to charge a fee if your request if clearly unfounded, repetitive or excessive; alternatively, we may refuse to comply with your request.

You also have the right to complain to the Information Commissioner's Office, the UK supervisory authority for data protection issues. Before exercising this right, we encourage you to contact us first to resolve any complaint you may have, although this is not legally required. More details can be found here: www.ico.org.uk.

We reserve the right to update this policy to reflect any changes to the way in which we collect, process or share your personal data, or to reflect any legal requirements. When we make any changes, we will upload the new version to our site. The new version will take effect as soon as it is uploaded.

This policy was last amended on 19 September 2019 and supersedes any earlier versions.