Octopus Money Direct Privacy Policy

1. Introduction

This privacy notice explains how Octopus Money Direct decided why and how your personal information is used when you engage our services and communicate with us in the United Kingdom (UK). We are Controllers of your information under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025 (DUAA) and related regulations from time to time. Nothing in this notice is intended to limit or restrict your legal rights and is provided for information purposes only.

We take your privacy seriously. Here, you can learn more about your data protection rights and how we collect, use, share and store your personal information. This includes information we already hold about you now and further personal information we might collect about you, either from you or someone else.

How we use your personal information depends on the accounts and relationship you have with us. Our Data Protection Officer (DPO) provides help and guidance to make sure we protect your personal information and we use it in the right way. If you have any questions, you can contact our DPO (see section 13 “Getting in touch”).

This Privacy Notice will replace any previous notice we’ve shared with you. If we make any important changes to it we’ll get in touch to let you know.

2. About the Octopus Money Group

For the purpose of this privacy notice, the information on how we handle your personal data applies to the Octopus Money Group (OMG) companies listed below, each firm is registered as a data controller with the UK Information Commissioner’s Office (ICO).

Octopus Money Financial Solutions Limited, registration number ZB570052;
Octopus Money Platform Limited, registration number ZB582483;
Octopus Money Limited, registration number ZB610542; and,
Octopus Money Unit Trust Managers Limited (Octopus Money Direct), registration number Z5537067.

When we say ‘OMG’ or ‘Group’, we also mean in relation to the companies listed above, that company, any subsidiary or holding company from time to time of that company, and any subsidiary from time to time of a holding company of that company. Each company in a Group is a member of the Group.

Octopus Money Unit Trust Managers (‘we’ or ‘us’), as a data controller within the Group, may collect and process personal information, and within the parameters of the law share it with another member of the Group.

3. What information we will keep

By ‘information’, we mean all the personal and financial details we collect, use, share and store. The information we keep can include but isn’t limited to:

Information about your identity and contact details (like your name, date of birth, home address, phone number, email address, current and previous countries of residence/citizenship, a copy of identification documents like passport or driving licence, for example – and information we need to check your identity).

Unique identifiers and reference numbers that we or others have allocated to you (like Companies House references, account numbers, online usernames, and your National Insurance number).

Your financial and payment information, including details of your income and how you spend it (if relevant), business accounting information, bank details and transactions with us and others.

Information about you from resources, organisations and regulatory bodies (like the Financial Conduct Authority and Companies House).

Information about people you’re financially linked to (like your husband/wife/partner or financial associates) or who have an interest in or association with any of your accounts. (For example, a joint investment account or where you’ve opened an account for a child).

How you access and use our website or other digital services (like your IP address, location and the device and software being used).

The profile information we create by analysing you, your business and your behaviour. This could be through the way you use your account and from other sources – including information we get using artificial intelligence to look at combined data sets.

Your permission to share information from third parties.

Information that the law sees as being in a special category because it’s sensitive to you. We can only collect and use this information if you’ve given us permission, or it’s permitted by law. This sort of information includes:
- Race or ethnicity
- Religious or philosophical beliefs
- Trade union membership
- Genetic and bio-metric data
- Health information and data (needed for some insurance products and to protect vulnerable customers)
- Criminal convictions and offences (needed for preventing fraud, anti-money laundering and to meet our legal duties)

In section 6, there’s more on how we use this information.

Sometimes, we ask for your information as we need it to provide the product or service you’ve asked for or to do something the law requires us to do (like check you are who you say you are). Without that information we may not be able to provide some products or services requested.

4. Where we get the information from

We collect information directly from you and others.

We get information:

Directly from you – for example, in applications, emails, letters and phone calls (including information given by someone else, like an employer, financial adviser or accountant).

Through entries into our competitions, surveys, promotions and conversations with us on social media.

By looking at how you use our products and services, or those of other members of our Group. For example, from transactions and how you manage your accounts and services. This includes the use of artificial intelligence or machine learning to analyse aggregated/combined datasets, to make forecasts / projections of earnings and cash flow and improving a service or systems in terms of machine learning or analytics cookie use. Information may be used for the development and deployment of machine learning.

From others who know you – including joint account holders and people you’re linked to financially.

From the type of device you’re using and the list of apps you have on your device.

From your use of our websites or applications, including through cookies that collect information about your internet use.

From recorded calls. We’ll record or monitor phone calls with you for regulatory purposes and training, to improve our service, to make sure our colleagues and customers are safe, and to correct any issues.

We also get information from:

Credit reference agencies (like Experian) and fraud prevention agencies (for example, CIFAS).

Advertisers, social media networks and companies that do market research and look at stats and analyse your behaviour (like Google and Facebook).

The Government and their agencies – for example, HM Revenue & Customs, Financial Conduct Authority and Companies House.

Public records (like the electoral roll) and other public sources, including internet searches.

Other companies that provide a service to us – for example, surveyors and lawyers.

Marketing Services Providers – these are companies that collect personal data from a number of sources for the purposes of creating profiles of customer groups.

Other third parties who are allowed to share information with us.

5. Why we need the information and what we use it for

We use your information for the purposes necessary to deliver, monitor and improve our services, to operate our business and comply with the law. The legal bases we may rely upon are set out below, the exact basis we use will depend on the context of the processing and may vary from time to time:

Consent – sometimes, we may ask you for your consent or permission to use information in a certain way or where the law states we must get your permission. For example, if you agree to us recording something about your health so we can improve the way we communicate with you. Whenever permission is the only reason for us using the information, you have the right to change your mind. To do this, just contact us – head to section 13 to find out how.

Performance of a contract – where we’ll use your information to provide you with your account, product or service (for example, we’ll use your name and address to post an account information to you).

Legal obligation – this is where we must process your information by law (for example checking you are who you say you are).

Vital interest – processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Public interest – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

Legitimate interest – we’re allowed to use your information where, on balance, the benefits are reasonable and not outweighed by your interests or legal rights – for example, we have an interest in knowing what our customers like and don’t like so we can offer better products and services.

Using your information

These are the main ways we’ll use your information and the reasons for doing so:

To check your identity and eligibility for an account (Performance of a contract; Legal obligation)

The law requires that we must check the identity of new customers and for business customers the verification of key individuals of such customers. The law also requires us to re-check the identity of existing customers from time to time. This is so we know who our customers are and to make it more difficult for criminals to use false or impersonated identities, for criminal purposes like hiding the proceeds of crime or committing fraud. To check your identity, we’ll check the contact details and financial information you give us with credit reference agencies and against publicly available information. We’ll also check you’re eligible for the product or service we’re offering.

To manage your account and relationships with us (Contract performance; Legal obligation; Legitimate interest)

We’ll use your information to manage any product, service or relationship you have with us. This will be done in line with the terms of that arrangement and the rules of our regulators. Examples of this are:

Management of your account including:
- keeping information about your transactions and sending your account statements.
- telling you about your account and your relationship with us, including letting you know any changes to interest rates or charges.

Sharing your name and some account details with a person or organisation before a payment can be made to your account.

Helping to fix errors and rectify any problems or complaints you may have.

Manage any offers or promotions you take part in.

Closing your account.

To do this, we’ll use your contact details, the payment details you’ve given us and your location data to enable us to check locations where payments are made (this is to prevent fraud). If you’ve agreed to it, we’ll also use mobile location services and your IP address to identify you for security and to stop fraud.

We may also share this information with third parties who help us confirm your contact details and deliver our products and services.

Complying with the law, stopping financial crime (including fraud and money laundering) and funding terrorism (Legal obligation; Legitimate interest)

By law, we must review applications and monitor accounts. This helps us tackle threats from terrorists, money-laundering and other financial crimes. We also have a legitimate interest in avoiding losses caused by financial crime like fraud. We may share information with law enforcement agencies and other official bodies or government departments to comply with our legal obligations (like tax and immigration authorities).

We may also check and share information we’ve got about you – like your contact details and financial information – with fraud prevention agencies, credit reference agencies, law enforcement, other government agencies and regulators. This is to help stop financial crime and terrorism funding. To do that, we’ll use any information you’ve provided, as well as information we’ve got from a third party. We’ll also see how you use our services for more information.

This includes your name, address, date of birth, every country of residence/citizenship, personal identification (which may include passport or driving license number), your IP address and details of any criminal convictions. This might also include information about your location, which helps prevent crime and fraud.

Improving our services and computer systems (Legal obligation; Legitimate interest; Consent)

We have a legitimate interest in improving how we offer our services and the security of the computer systems we use. We also have to respond to any law changes or rules that affect how we protect the information that we hold.

We may use your information to help us develop and test our systems, including new technologies and services. This is to make sure they’re safe and secure and will work the way we want them to. When we do this, we’ll use processes and technologies that are designed to keep this information secure.

We may also ask you for your consent to invite you to take part in customer research to help us improve our products and services.

Identifying other products and services from us and our partners that may be useful (Legitimate interest; Consent)

The range of products and services we offer, including those from companies outside the Octopus Money Group, change from time to time.

We have a legitimate interest in telling you about products, services and any new developments we think may interest you, where we’re permitted to. For some of our marketing, including letting you know about the products and services of other companies, we’ll ask for your permission first.

We don’t want to send too much information or anything that’s not right for you, so we’ll use the information we already have about you, particularly profile information, to decide what we talk with you about.

You have the right to tell us at any time if you don’t want us to use your information in this way, you may unsubscribe at any time.

We’ll only get in touch in the ways you’ve said we can. For example, a phone call, text message or post. If you’ve said you don’t want to see any marketing, we will remove you from our marketing services. You can opt in or out, at any time, to marketing by contacting us in the usual way (see section 13 for our contact details).

If you are happy to receive marketing, we want you to see the things that are right for you, at the right time. The best way for us to do this is to use automated processes to create a profile for you for marketing purposes. We do this by using:

The information you’ve given us.
Details about how you’ve used other products and services you have with us or the Group.
Any feedback you’ve given us.
Information from other companies we’re partnering with (including, but not limited to, those shown in Appendix 2).

We might get information about you from a third party to help us market our products and services to you. But we’ll only do this if you’ve given them permission to share your information with us.

We may also get your name and address from other companies to help us offer services that are right for you. Our manual or automated processes analyse this information to decide what products and services to offer to you and to prioritise the marketing messages you receive.

We do this by:

Working out which products and services you can have.
Seeing if they’ll be useful to you.
Deciding how likely you are to reply.

We may also get information telling us if you’ve opened or clicked on an email, the type of device you’re using and your general location when you opened the email. Our service providers will help us with these marketing activities. The partners we give your information to might use it for marketing profiling.

Sometimes we work with other companies to offer you the best products and services. We’ll sometimes share your information with our partners, and get information about you too, to make sure that we give you the best, most relevant offers when we market to you (if you have given permission).

See Appendix 2 for a list of our partners and Appendix 3 for the types of suppliers we use.

Managing and organising our business (Legal obligation; Legitimate interest)

We have a legitimate interest in running our business as well as possible while also sticking to our legal and regulatory responsibilities as a party of the UK financial system.

Therefore, we may use your financial information, including how you’ve used our products and services, for the following reasons:

To see how well our marketing is working.
To train our team.
To spot trends or behaviours.
To check performance indicators.
To work out the profitability (or other indicators) of a product, service, sector or part of it when compared to others to help us with our future strategy.

To report to and communicate with regulators, auditors and government agencies. We may pass your information to market research companies and others who help us with these activities.

Sometimes, we’ll use artificial intelligence to help us understand trends, behaviours and predict general patterns. For example, to see how well our marketing is doing.

We may also use your information for other things you’ve agreed to, as well as some situations where the law asks or requires us to.

Supporting vulnerable customers (Legal obligation; Legitimate interest; Consent)

We have an interest as well as a legal duty to support vulnerable customers. That’s why we will use any information you give us, and what we can see from your transactions, that might show a vulnerability. For example, a health condition or money worries.

We’ll also use information we get about vulnerability from other members of our Group if we need to protect their interests. Plus, we’ll give information to third parties about vulnerability to meet our legal duties. This might be to the police, social services or someone acting on your behalf.

Managing relationships with third parties who introduce customers to us (Legitimate interest)

We’ll give information to and get information from third party independent financial advisers and mortgage brokers who’ve introduced you to us.

This is so we can provide products and services to you and manage our relationships with those third parties, including paying any fees.

To do this, we’ll use information about the general nature of the products and services, as well as information about the value of those products and services.

When we make automated decisions

We sometimes use computers to make decisions. We do this when:

Creating a profile of you for marketing purposes (but only where you’re happy to be contacted with marketing). This helps us make sure you get the most relevant information about the products and services that will be the most beneficial to you, at the right time. It also helps us decide how likely you are to respond. To do this, we use:
- Information you give to us
- Details about how you have used other products and services you have with us or the Group
- Any feedback you have given us
- Publicly available data from a reputable institution that may give us an insight into economic circumstances that impact you or the area you live in. Example sources included but are not limited to: The Bank of England, The Office of National Statistics and academic institutions or research papers
- Information from other companies we are partnering with (including, but not limited to, those set out in Appendix 2).

When carrying out risk assessments related to money laundering and terrorist financing, required by law, we take into account customer type, countries where you operate, products held, transactions made and delivery channels.

6. What we use special categories of information and criminal information for

Special protection is given to special categories of information and criminal offence information.

We’ll only use special categories of information if we have one or more of the following additional reasons for using your information:

Explicit consent – where you have given us explicit consent to use the information.
Vital interests – where we need to protect your vital interests e.g. if you have a severe and immediate medical need whilst on our premises.
Public interest – where it is in the substantial public interest.

We’ll only use criminal offence information where the law allows us to for example for the purposes of preventing or detecting crime.

Using special categories information

We use the following special categories information for the reasons below:

Racial and ethnic background

We may ask you about your racial and ethnic background as we need to make sure everything is fair and equal when it comes to the service we offer.

We may also ask you about this if you have given us your explicit consent to take part in our customer research and have provided us with this information.

Criminal information

We may use information about criminal proceedings relating to you when deciding to provide our products and services in order to help us prevent and detect financial crime and to fulfil our legal/regulatory obligations.

7. Who we share information with

We treat all the information we hold as confidential. We may share your information with other people or companies, who are also required to keep the information confidential, safe and secure. For example:

Octopus Group companies (see section 2 ‘About the Octopus Money Group’)
Other companies, commercial partners, agents and professionals who offer products, services and admin support to us – for example, our IT Suppliers.
The relevant business customer connected to you.
Companies, organisations and professionals who also offer you services.
Anyone we may transfer our rights and duties under any arrangement to.

We may also share your details with the following types of organisations:

Credit reference agencies who are performing fraud prevention checks.
Fraud prevention agencies.
UK and overseas regulators, authorities and their service providers (for example, the Financial Conduct Authority or Companies House).
UK and overseas tax authorities (like HM Revenue & Customs).
UK and overseas law enforcement agencies – for example, the National Crime Agency.

Fraud Prevention Agencies

The CRAs also work as fraud prevention agencies (FPAs). Just so you know, we’re also members of CIFAS which is an FPA.

Before offering you a product or service, we may run some checks with FPAs to help prevent and detect fraud and money laundering.

We’ll do this by giving FPAs your information, who’ll then give us information about you. This includes details in your application or information from third parties.

If we or an FPA believe you’re a fraud or money laundering risk, we may not offer you a new product or service. We might also stop the product or service you’re already using and share any information we get from a FPA with the CRAs.

A record of any fraud or money laundering risks will be kept by the FPAs. This may mean other companies won’t offer you services, finance or employment.

We and FPAs may also let law enforcement agencies use your information to detect, investigate and stop crime. For more details visit:

www.cifas.org.uk/fpn

8. Using information outside the UK

We may need to share your information outside the UK with others. This can include Group companies, service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not offer the same protection as in the UK.

This could be by only letting transfers take place with countries that the UK thinks offer enough protection for your information (an adequacy decision) or, we’ve put additional measures in place to make sure there’s enough security as set out by UK data protection law.

These measures include having recognised safeguards in place with our commercial partners, like carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators like the International Data Transfer Agreement (IDTA) or Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers. The IDTA and Addendum replaced Standard Contractual Clauses (SCC) for international transfers. For more information about SCCs as shown by the ICO, check out ico.org.uk and search for ‘International Transfers’.

To learn more about how your information is used in countries outside the UK, the adequacy decision for that country or the measures we’ve put in place, please get in touch with our Data Protection Officer.

9. How long we hold information

Find out more about how long we keep your information for

How long we keep your information for depends on what products and services you have with us. Just so you know, we won’t keep it any longer than we need to (see section 5 for why we need the information and what we use it for and section 6 for why we need special categories information and what we use it for).

This means we’ll continue to hold some information for a while after your account has closed or our relationship has ended. For example, where we need to for the regulator, for active or potential legal proceedings, to resolve or defend claims or for making remediation payments.

If you’d like more information, you can contact our Data Protection Officer (see section 13. Getting in touch).

10. Keeping you up to date

We’ll get in touch with you about products and services we are delivering using the contact details you’ve given us. This might be by post, email, text message, social media and notifications on our app or website.

Where you have given us permission to send you marketing, you can cancel it and update your marketing choices by calling us or via your online account.

Head to octopusmoneydirect.com/contact/ for all the contact information you’ll need.

11. What you do online

We use cookies to track how you use our website. If you’ve given us permission, we may also use cookies to tailor marketing messages when you’re logged in. For more information about how we use cookies, octopusmoneydirect.com/cookies/.

12. Your Data Protection Rights

The law guarantees your rights about how we use your information.

If you don’t want us to use your information

You can object to how we use your information. When this happens, we have up to one month to get back to you.

We’ll stop using the information unless there’s a good legal reason to do so (we’ll always tell you what that reason is).

You can stop getting marketing communications at any time. Just get in touch in the usual way to let us know.

Access to information

You always have the right to ask whether we hold information about you. If we do, you have the right to know:

What the information is.
Why we’ve got it.
The ways it’s used.
Who we share it with.
How long we keep it for.
Whether it’s been used for any automated decision making.

You’re also allowed a free copy of the information. We can give it to you in person, online, over the phone, by email or by post.

Getting your information right

We always want the information we have for you to be absolutely spot on (up to date and accurate). If any of it is wrong or out of date, let us know and we’ll fix it.

Deleting information

You can ask us to delete your information if you think we don’t need it anymore. This might be because:

It’s not needed for the reason we collected it (see section 5 for why we need the information and what we use it for and section 6 for why we need special categories information and what we use it for).
We held and used the information because we had your permission, which you’ve now taken back.
You’ve already objected to the way we’re using your information.
We’ve been using the information unlawfully.
There’s a legal requirement for us to delete the information.

When you ask for information to be deleted, we have up to one month to get back to you. This may be extended by an additional two months in complex cases, and if we don’t go ahead and do it, we’ll tell you why.

Portability of information

You have the right to get some of the information you gave us in a machine-readable format.

Restricting some uses of information

In certain situations, you can block or limit the use of information by us. This may happen where:

You’ve challenged the accuracy of the information and we’re checking it.
You’ve objected to how we use your information and we’re considering whether you’re right.
We’ve been using your information unlawfully but you want us to continue to hold the information rather than delete it (see ‘Deleting information’ above).
We no longer need to keep the information but you’ve asked us to keep it because of legal claims you’re involved in.

Who can I complain to?

If you’re unhappy with how we’re using your information, please contact us at octopusmoneydirect.com/contact.

If we can’t fix the issue, you can complain to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent body set up to uphold your rights. You can find out more at www.ico.org.uk

You can exercise any of your data protection rights by contacting us.

13. Getting in touch

Our Data Protection Officer (DPO) provides help and guidance to make sure we apply the best standards to protect your personal information and comply with our responsibilities for data protection. Our DPO can be reached by email or post at:

Email: dataprotection@octopusmoney.com
Write to us: Data Protection, Octopus Money, 33 Holborn, London, EC1N 2HT

Data Protection Rights Requests

If you wish to make a Rights Request, you can do so by emailing dataprotection@octopusmoney.com or by writing to the DPO at the above address.

The team will respond within a month and there is no need to send a reminder during that period.

14. Appendices

Appendix 1

List of our Credit Reference and Fraud Prevention agencies.

Supplier	Service
CIFAS	Fraud Prevention
Experian Limited	Fraud Prevention

Appendix 2

List of our Third Party Partners.

Third Party Partners

Attraqt Limited (Crown Peak)

Data Truth Limited

Equisoft Limited

Exiger Canada Inc.

Experian Limited

Factiva Limited (Dow Jones)

FNZ Limited

GB Group Plc.

KPMG UK Limited

Paragon Customer Communications (London) Limited

Parseq Limited

SS&C

WorldPay

Appendix 3

List of the categories of our suppliers.

Categories of Suppliers

Business Management App Services

Credit Reference Agencies

Customer Services

Fraud Monitoring and Services

Government Services

Information Security Services

IT Service Companies

Legal Services

Marketing Campaigns and Services

Payment Systems and Services

Professional Services

Regulatory Monitoring and Services

Regulatory Reporting