OUR TERMS
Privacy Policy
Updated October 2023
1. Introduction
We respect your privacy and are committed to doing the right thing when it comes to protecting your personal data, including how we collect, use and protect your personal data. This Privacy Notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.
This Privacy Notice aims to give you information on:
- Third-party links;
- Octopus Group and the Data Controller;
- Our legal bases to process personal data
- Our record retention policy
- Category of individuals and information on personal data;
- Disclosure of your personal data;
- Storage of your personal data;
- Security around individual’s personal data;
- Individual’s rights;
- Complaints
Our website and all our products and services are not intended for children and we do not knowingly collect data relating to children.
Please take the time to read this Privacy Notice. If you have any questions about this Privacy Notice or our use of your information and/or personal data you can contact us at:
- Email: dataprotection@octopusmoney.com
- Phone: 020 3195 4455
This Privacy Notice may change from time to time and our up-to-date version will always be available on this website.
2. Third party links
Our websites and our other web-based products or services may include links to third-party advertisers, affiliates, websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements, notices or policies. When you leave our website, we encourage you to read the privacy notice of every website you visit. We do not accept any responsibility or liability for the privacy policies or notices on third-party websites. Please check these policies before you submit any personal data to these websites.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
3. The Data Controller
For the purpose of this Privacy Notice, the information on how we handle your personal data applies to the Octopus Group companies listed below and each is registered as a data controller (as defined under European Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) with the UK Information Commissioner’s Office (“ICO”):
- Octopus Money a trading name of TW11 Wealth Management Limited, registration number ZB570052;
- Octopus Accelerator Client Services Limited, registration number ZB582483; and
- Octopus Investments Limited, registration number Z6932923
- Octopus Money Limited, registration number ZB610542
Accordingly, “we”, “us” or “our” in this Privacy Notice, refers to the above companies including any subsidiary companies.
4. Our legal bases to process personal data
There are many reasons why we may legitimately collect and process your information and/or personal data (also known as the legal basis), including:
1. Consent
In specific situations, we can collect and process your data with your consent.
2. Performance of a contract
We may process your information where it is necessary to either; enter into a contract with you for the provision of our products or services; or to perform our obligations under a contract; or to provide you with advice or guidance in relation to our products; or services that are offered by us.
3. Legal obligation
If the law or any regulator in any competent jurisdiction requires us to, we may need to collect and process your data and also provide this to any such regulator.
4. Legitimate interest
We may process your information in the day-to-day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.
5. General Information on our record retention policy
Records can be held on a variety of media (physical or electronic) and formats. Retention periods for records are determined based on the type of record, the nature of the activity, product or service, applicable local legal or regulatory requirements. Retention periods may be changed from time to time based on business or legal and regulatory requirements.
Where we are presenting regulated financial advice to you we are required to demonstrate that we are compliant with the laws and regulations related to providing financial advice. Therefore, we will retain a record of our clients, their financial plans and the financial services we have provided for a specified minimum period from the end of our relationship with you, usually:
- Five years for investment business
- Three years for mortgage business
- Three years for insurance business
- Indefinitely for pension transfers and opt-outs.
We may, on exception, retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from any court or competent authority, or in relation to an investigation by law enforcement agencies or our regulators. This is intended to make sure that we are able to produce records as evidence, if needed to those respective authorities.
Please refer to each individual category (section 7 – 12, below) on how long we keep your information and/or personal data for. If you believe the record you are looking for has not been stated, please contact us.
6. Category of individuals
Please select the relevant section from the list below to understand how we process your information and/or personal data:
- Website visitor
- Visitors to the office
- Employee
- Job applicant
- A client of one of our products or services
- Third-party supplier
7. Website visitor
When do we collect information about you?
- When you visit and browse our website
- When you provide your information on our contact page;
- When you fill in a job application in the career section;
- When you log into an Octopus Money account or system
Personal data we collect and the legal bases to process
- Website: Please refer to our Cookie Notice
- Contact Us section: Email address, individual’s message and if provided, includes the name, telephone number and other personal data directly submitted by the individual
- Career section: Please refer to section 8, below
- Octopus Money account or system login: Login credentials
We rely on the legitimate interest of the business as the legal basis to process your information and/or personal data. We will use your information to contact you and provide the necessary service relevant to the purpose of using our website. It will also help us to improve the usage and functionality of our website.
Why do we need your personal data?
- Contact Us page: The right team in Octopus will be able to contact you when a query or comment is submitted to us.
- Career section: When you submit your interest to work with us, the information you provide in the career section will help our team to review your application and the necessary credentials to consider your application. We will use the information and/or personal data provided to inform you of the status of your application.
- Octopus Money account or system login: The login credentials will provide you the access to your investment product and profile.
How long do we keep your data for?
Personal data under the contact us page will be held in our online system for 3 (three) months after it is submitted.
Information and/or personal data in the career section will be retained by our HR team for 12 (twelve) months, unless consent is given for us to hold it longer than this period.
A client’s information and login details will be recorded for as long as you have an online account with Octopus Money and for a period afterwards. The exact period varies depending on the products which you may have or have received advice on with us. Our standard retention periods are:
- Five years for investment business
- Three years for mortgage business
- Three years for insurance business
- Indefinitely for pension transfers and opt-outs.
For the avoidance of doubt the above periods start from when your account has been closed and where you have multiple products or services with us will be the longest retention period of the products or services you may have.
Cookies
Please refer to our Cookie Notice for more information and how we handle your personal data.
8. Visitors to our office
When do we collect information about you?
We may ask for your contact details prior to or upon your arrival at our office or events; or when you choose to use our guest Wi-Fi.
Personal data we collect and the legal bases to process
- Name;
- Email address;
- Organisation you are working for;
- Date and time of your visit;
- When connected to our Wi-Fi: IP address assigned by the network, hostname of device, first and last seen, data usage, device type and the last access point (all of which when combined amount to your personal data);
- Photographs or video images (through CCTV); • Any other information you may provide to us for specific requests
The legal bases to process your personal data are:
- Legal obligation under the Health & Safety Act 1974 to use your information to facilitate your visit;
- Our legitimate interest to ensure a secure and safe access to our office; and;
- Consent, when you agree to share your details with us to meet us
Why do we need your personal data?
We have a responsibility to look after the safety of our employees and visitors when you are in our office. Only authorised individuals are allowed to be in our office making sure that it is safe and secure for everyone.
The personal data used for the purpose of our Guest Wi-Fi will be used to provide the online connection to our visitors and keep track of any connection issues.
How long do we keep your data for?
We will keep your data for 6 (six) months from your first visit and they are held in the visitor management system provided by our building landlord (Sainsbury’s). We do not separately hold your information and/ or personal data outside of the system. Please visit Sainsbury’s website to read their Privacy Notice.
In the event you are using our Wi-Fi, your personal data will be held for 30 (thirty) days from the last connection.
Please see section 16 of this document should you wish to have your personal data deleted sooner than the retention period.
9. Employees
When do we collect information about you?
We will process and use your information and/or personal data if you are permanently employed by Octopus Money or employed on a temporary basis including work under a contract of service and all agency staff, casual workers, contractors and consultants.
Personal data we may collect and the legal bases to process
- Name, date of birth, home address, email address, telephone number;
- LinkedIn profile (your profile link)
- Work experience;
- Academic and professional qualifications/ membership;
- School, college and/or university;
- Salary expectation;
- Start date and leaving date;
- Evidence of your right to work in the UK and/or immigration status;
- Passport;
- Driving Licence;
- HMRC Details
- P45 form
- Employee’s photo holding his/her passport;
- National Insurance number
- Health and disability information (if provided or known during your employment);
- Record of any accident and/or injury at work or during working hours (including while working from home);
- Marital Status;
- Gender;
- Next of kin and dependants;
- Emergency contact details;
- Home address outside of UK (if working abroad);
- Racial and ethnic origin (optional);
- Religious belief (optional);
- Sexual orientation (optional);
- Bank details;
- CCTV or video images;
- Headshot photo (security access card);
- Images on internal systems including Charlie HR, Slack and Google Workplace accounts;
- Images at our events;
- Benefits;
- Performance and appraisals information;
- Complaints, feedback, internal investigation, disciplinary actions and grievances;
- Termination notice;
- Social media profile (if shared by the employee);
- Any other information you provide to us in relation to your employment and working arrangements.
The legal bases to process employee’s information and/ or personal data are:
- Performance of a contract – To enable us to carry out our day-to-day activities such as payroll, benefits and provide the agreed working arrangements to employees.
- Legitimate interest – To administer and planning for our workforce.
- Consent – In circumstances where you opt to participate in activities, events or providing optional information and special category of personal data to us;
- As an employer, we also need to comply with some of the laws and regulations which include (non exhaustive list):
- Equality Act 2010 (for general wellbeing, unlawful harassment and misconduct);
- The Reporting of Injuries, Diseases and
- Dangerous Occurrences Regulations 1995 (for accident records);
- Income Tax (Employment) (Amendment No. 6) Regulations 1996 (for NI returns, income tax and HMRC correspondence);
- Maternity & Parental Leave Regulations 1999 (for maternity & paternity records, certification and pay calculations);
- Health & Safety at Work Act 1974 (to manage employee’s health and safety at work as well as for those working from home).
Please note that due to the nature of our services and products and to comply with relevant laws and regulations (e.g., Financial Crime Legislation, FCA regulatory requirements and all other applicable laws), employee’s emails and communications are being routinely monitored to ensure we adhere to our regulatory obligations and code of conduct to prevent the misuse of sensitive information of our employees, investors and customers with unauthorised parties. We rely on the legal obligation imposed on us as one of the lawful bases to carry out this activity.
Why do we need personal data?
We need to process your personal data for the general administration on the contract we have entered with you and for our business operations. We also have a legal obligation to process your sensitive personal data to comply with the laws and regulations (e.g. for occupational health, accidents or injuries at work, for statutory maternity pay, etc.).
We will only use your personal data for the purpose of why we collected it in the first place and in relation to your employment. For other purposes that are not being stated above, we will ensure that it is only being carried out compatible with the main purpose.
How long do we keep your data for?
Employee’s record will be retained for 6 (six) years after the end of employment.
10. Job applicant
When do we collect information about you?
We process your personal data either through the employment agencies, on our website career section or through LinkedIn. Your information will be processed by our recruitment team who will then send it across to the relevant business unit for the job role you are applying for.
Personal data we collect and the legal bases to process
- Name, date of birth, home address, email address, telephone number;
- LinkedIn profile (your profile link)
- Work experience;
- Academic and professional qualifications/ membership;
- School, college and/or university;
- Current salary & salary expectation;
- Notification period;
- Health and disability information;
- Marital Status;
- Gender;
- Disability or health conditions that you share with us;
- Race and religion (optional)
- Sexual orientation (optional)
- Any other information you provide to us in relation to your application whether in your CV or directly with us
The legal bases that we rely on are:
- Consent – When you choose to progress with your interest either on LinkedIn; our Career page; or with the employment agency;
- Legitimate Interest – Your application will help us to assess your skills and experience relevant to the role you are applying for, and the process may help us to develop and improve our recruitment process.
Additionally, it is important for us to verify the information in your application and we use a background check service provider to confirm your details and previous working experience.
- Legal Obligations – Some information you provide may impose a legal obligation on Octopus Group and require us under the Equality Act 2010 to protect your wellbeing at the workplace.
- Performance of a Contract – In the event your application is successful, Octopus Money will use your personal data to do the necessary to prepare your employment contract
- Processing under Article 9(2)(b) – We are allowed to process your sensitive and special category of personal data under Article 9(2)(b) when we receive sensitive information such as race, religion, sexual orientation and/or health
Why do we need your personal data?
We would not be able to consider your application without your information and/or personal data as we need to assess your suitability for the role. Additional information provided will be used to prepare the necessary working arrangements when you have been selected.
How long do we keep your data for?
Your data may be retained for up to one (1) year in case there are queries or where your application is reconsidered for the same role or other role(s).
Do you share my data with anyone else?
Your data may be shared with other firms within the Octopus Group of companies or selected third parties for the purpose of identity verification. Your data will also be stored in our HR systems which are provided by a third party company.
11. Octopus Money Account or System User
When do we collect information about you?
We require your personal data when you submit your interest and/or enquire about our products or services. Your personal data will also be used when we create your user online accounts on our systems, in any calls or communications we may have with you and to create any products or services which you may require.
Personal data we collect and the legal bases to process
- Name, date of birth, home and/or office address, email address, telephone number;
- Employment details;
- Gender;
- Income/Financial/Tax Details;
- NI number;
- Nationality and country of citizenship;
- Investment data and valuations;
- Login details (for online account);
- Health or disability information (if provided);
- Nationality and country of citizenship;
- Communication records (for security and monitoring purposes)
It is within our legitimate interests to process your personal data for us to fulfill your investment into one of our products, and for the general administration of your account and products/services.
We rely on your consent when you choose to receive marketing communications from Octopus.
We also have a legal obligation to comply with the laws and regulations concerning your investment, fund and/ or product, for example for fraud reporting obligations or anti-money laundering.
Why do we need personal data?
To manage your products, services and accounts with us.
To send the company’s news, updates and/or products following your consent for marketing communications.
Relevant to our mortgage advice product only and through your application process, we may share your personal information with credit reference agencies (CRAs) and fraud prevention agencies (FPAs) to (among all other necessary checks to be carried out prior to providing services to you) verify your identity, assess creditworthiness, provide your financial history, manage your account, and help us prevent fraud and money laundering.
How long do we keep your data for?
Your personal data will be retained for a period of no more than 5 (five) years after the account has been closed unless stated to the contrary in this document.
Where you have received financial advice from us, we will retain your data for the following periods:
- Five years for investment business
- Three years for mortgage business
- Three years for insurance business
- Indefinitely for pension transfers and opt-outs.
We may be required to retain information for a longer period for regulatory and crime prevention purposes.
12. Third-Party supplier
When do we collect information about you?
We collect personal data of the account manager (where applicable) or contact person of the third-party supplier when we request for the company’s goods or services; or when we agree to sign the contract with the supplier
Personal data we collect and the legal bases to process
- Name, email address, telephone number and Job title
- Bank account details (particularly for individual supplier/consultant)
The lawful bases to process your personal data are:
- Performance of a contract for the goods and/or services;
- Legal obligation: To comply with the Bribery Act 2010, Modern Slavery Act 2015 and other applicable laws.
- Legitimate interest: To manage business contacts and the general administration of our third-party suppliers.
Why do we need personal data?
We do not use your personal data for other purposes than to manage the third-party supplier contract with us.
How long do we keep your data for?
Personal data in relation to managing the goods and services will be retained in our record until they are being replaced with a new business contact from your organisation. The same retention period applies to individual consultants.
Key suppliers
We use a number of third parties to support our work, in particular regarding the prevention of financial crime and identifying your identity. Details of how our verification supplier uses your data is available on request.
Reviews and feedback
Octopus Money may contact you via email to invite you to review any services and/or products you received from us. This is in order to collect your feedback and improve our services.
We may invite you to provide reviews or feedback through independent review sites such as VouchedFor or you may be contacted by external companies appointed by us for this purpose. This may include service providers such as Trustpilot. These third parties may contact you to collect your feedback which means that we will share your name, email address and reference number with Trustpilot for the Purpose. If you want to read more about how Trustpilot or VouchedFor process your data, you can find their Privacy Policy on their websites.
13. Disclosure of your information (including outside of the European Economic Area “EEA”)
We may share your personal information within the Octopus Group.
When we share your information with third parties, they will process your information and/or personal data as either as a data controller or as our data processor and this will depend on the purposes of our sharing your information and/or personal data with such third parties. We will only share your information and/or personal data in compliance with the applicable data protection laws and regulatory requirements.
We may disclose your information:
- With previous employers or through the employment agency when you submit your job application;
- When other products and services within the Octopus Group may interest you provided we have your consent;
- If we are under a duty to disclose or share your personal data with any of the government bodies or agencies, the law enforcements, to comply with any judicial or legal obligations or regulatory requirements or to protect the rights, property or safety of: (i) the Octopus Group websites, (ii) our customers, (iii) exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and/or
- To third-party suppliers who will process our data on our behalf and their authorised employee(s) and/or team(s) who need to access your personal data.
Transfers may be made outside the EEA where we are satisfied that appropriate safeguards are in place.
We may share some broader statistics and customer profiling information with third parties and within the Octopus Group, but the information or data will be anonymised, so you will not be identifiable from that data. We do not rent or sell your personal data and/or information details to any other organisation or individual.
14. Storage of your personal data (including outside of the “EEA”)
Our main storage and back-up database is located within the U.K. However, the information and/or personal data that we collect, and process may be transferred to, and stored at, a destination outside of the UK, via a third party system particularly when we use a cloud-based platform. We ensure that appropriate safeguards are implemented and your information and/or personal data will be protected in the same way that they are managed and stored in the UK.
In the event that we transfer information to countries outside of the EEA, we will only do so where:
- the European Commission has decided that the country or the organisation, entity or individual to whom we are transferring to or sharing your personal data and/or information with, will protect your information and/or personal data adequately;
- the transfer has been authorised by the relevant data protection authority; and/or
- We have entered into a contract with the organisation, entity or individual with whom we are sharing your personal data and/or information (on such terms as approved by the European Commission), to ensure your information is adequately protected.
15. Security
We take all steps reasonably necessary to ensure that your information and/or personal data is treated securely and in accordance with this Privacy Notice.
We implement strict procedures and security features to protect your information and/or personal data to prevent unauthorised access. Unfortunately, the transmission of information via the internet sometimes may not be completely secured from any malicious online attack, however, we will do our best to protect your information and/or personal data while we retain it for our purpose.
16. Your rights
We want to make sure you are aware of your rights in relation to the information and/or personal data that we process about you. We have described those rights and the circumstances in which they apply, in the table below and you can contact us at dataprotection@octopusmoney.com to exercise your rights:
Rights Description
- Access You have the right to access and/or obtain your information and/or personal data that we hold about you.
- Rectification If you believe that any of the information and/or personal data that we hold about you is inaccurate, you have the right to inform us and rectify it.
- Erasure You may request that we delete your information and/or personal data, if you believe that:
- we no longer need to process your information and/or data for the purposes for which it was provided;
- we have requested your permission to process your information and/or data and you wish to withdraw your consent; or
- we are not using your information and/or data in a lawful manner.
- Restriction This right can be exercised under any of these circumstances:
- when you believe that the information and/or personal data that we hold about you is inaccurate and thereafter, we will need time to verify the accuracy;
- we have processed your information and/or personal data unlawfully however, you would prefer to restrict the processing instead of erasure;
- we have requested your permission to process your information and/or data and you wish to withdraw your consent; or
- • we are not using your information and/or data in a lawful manner.
- Portability You have a right to receive the information and/or personal data you provided to us in a portable format. This is an extension to your right of access.
Please note that this right is only applicable to electronic processing of your personal data and when the information and/or personal data is collected directly from the individual requesting to exercise this right. We will attend to your request only in the event that the information and/or personal data is being processed based on your consent or contractual necessity.
You may also request us to provide it directly to a third party, if technically feasible.
- Marketing You have a right to object at any time to processing of your information and/or personal data for direct marketing purposes, including profiling you for the purposes of direct marketing.
We do not carry out processing that involves automated decision making that may affect the rights or produces legal effect on our employees, investors and/or customers.
17. Complaint
If you wish to raise a complaint on how we have handled your information or to exercise your rights under section 15 above, you can contact our Data Protection Team who will investigate the matter via:
- Email dataprotection@octopusmoney.com
- write to us at Data Protection, Octopus Money, 33 Holborn, London, EC1N 2HT
- Call us : 020 3195 4455
We hope that we can address any concerns you may have, but you can always contact the Information Commissioner’s Office (ICO) to further inquire or to lodge your complaint by visiting their page https://ico. org.uk/global/contact-us