last updated 28 June 2022
We are committed to protecting the information we hold about you. This Privacy Notice applies to the processing activities of the Shard Capital Group. This consists of Shard Capital Partners LLP (trading names: Shard Capital, Shard Capital ECM, Shard Capital Stockbrokers, Shard Capital Investor Visa, Alternative Resource Capital, LeifBridge and Tennyson Securities), Shard Capital AIFM LLP and Shard Capital Limited.
Any reference to ‘us’, ‘our’ or ‘we’ in this Privacy Notice is a reference to Shard Capital. Similarly, any reference to ‘you’, ‘your’, ‘yours’ or ‘yourself’ in this Privacy Notice is a reference to any of our past, prospective or current ‘clients’ or intermediaries.
If you are applying for a role at Shard Capital, please see our Candidate Privacy Notice.
Our Privacy Notice will be reviewed from time to time to take account of new obligations and technology, changes to our operations and practices and to make sure it remains appropriate to the changing environment.
What kind of personal data do we collect?
We collect information necessary to fulfil our obligations to our clients in the course of providing a range of financial services.
We may collect the following types of information about you:
- Your personal details (for example, your name, date of birth, passport information or other identification information)
- Your contact details (for example, your postal address, phone number, email address or mobile number)
- Financial information (for example, your bank account numbers, financial history, account balances, trading and financial statements)
- Details about your physical or mental health and lifestyle
- Employment details including employment history
- Family details
- Location data
- Technical data including internet protocol (IP) address, your login data, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- Information about criminal convictions and offences
- Your marketing preferences
On occasion the following sensitive personal data may be obtained: physical or mental health details, political opinion, racial or ethnic origin and religious beliefs. We will only obtain and process this information with your consent (permission) or in situations where it is in the wider public interest.
We also keep records of your trading behaviour, including:
- a record of; products you trade with us and their performance;
- products we trade on your behalf and their performance; and
- historical data about the trades and investments you have made.
Much of this information is collected in compliance with our duties under FCA rules. This includes our obligation to verify the identity of clients and to maintain records of regulated business including a record of products you invest in and historical data about investments you have made. If you chose not to provide the information required, we may not be able to provide you with the requested product or service.
If you choose to provide us with any Personal Data relating to a third party (e.g. information relating to your spouse, children, parents, and/or employees) or ask us to share their personal data with third parties, by submitting such information to us, you confirm that they understand the information in this notice about how we will use their personal data.
How is the personal data obtained?
We obtain this information in several ways, for example through your use of our services or other dealings with us including through the account opening process, enquiry forms, and from information provided in the course of ongoing correspondence.
We may also collect personal data from:
- People appointed to act on your behalf
- Publicly available sources
- Credit reference agencies
- Organisations that provide their own personal data, or personal data from third parties, to help us to improve the personal data we hold, and provide more relevant and interesting products or services to you
Additionally, we may obtain personal data about you through your use of our websites, by recording your activity and which pages you look at on our websites (please see here on Cookies)
We may record any communications with you including electronic mail, telephone calls, in person or otherwise, which will constitute evidence of the communications between us. This information is collected in compliance with our duties under FCA rules in relation to our record keeping obligations.
Telephone conversations may be recorded without the use of a warning tone or any other further notice. Further, if you visit any of our offices or premises, we may have CCTV which may record your image.
What Lawful Basis do we rely on?
We must have a legal basis (lawful reason) to process your personal data. In most cases, the legal basis will be one of the following:
- To allow us to take actions that are necessary for us to provide you with the product or service you want;
- To allow us to meet our legal obligations (for example, getting proof of your identity to meet our anti-money laundering obligations);
- To protect our legitimate interests (for example, to understand how clients use our services so we can develop new services and improve the services we currently provide);
- where we obtain your consent;
- to protect your interests; and
- where something is done in the public interest.
The table below sets out what we use your personal data for and our legal basis for doing so. Where our legal basis is a legitimate interest (that is, where our interests do not outweigh our clients’ interests), those interests are also set out in the table.
|What we use for information for||The legal basis for doing so|
|To provide, manage and personalise our services to you.||• Where necessary to carry out our agreement or to take steps to enter into an agreement with you • Where the law requires this • It is in our legitimate interests to make sure that our client accounts are well-managed, so that our clients are provided with a high standard of service, and to protect our business interests and the interests of our clients|
|To check your instructions to us, to analyse, assess and improve our services, and for training and quality purposes. (We may monitor or record any communications between you and us, including phone calls, for these purposes).||• Where the law requires this • It is in our legitimate interests to develop and improve our systems, train our staff, and provide our clients with a high standard of service|
|To communicate with you about your product or service, for legal, regulatory and servicing purposes.||• Where necessary to carry out our agreement or to take steps to enter into an agreement with you • Where the law requires this|
|To manage complaints, take action to put matters right and to answer questions.||• Where necessary to carry out our agreement or to take steps to enter into an agreement with you • Where the law requires this • It is in our legitimate interests to make sure that complaints are investigated (for example, so that our clients receive a high standard of service and we can prevent complaints from arising in the future)|
|To develop and improve products and services, by assessing and analysing the information, including credit and behaviour scoring and market research. We may also use this information to help decide whether to offer you a product.||• Where necessary to carry out our agreement or to take steps to enter into an agreement with you • It is in our legitimate interests to develop and improve our products and services, so that we can continue to provide products and services that our customers want to use, and to make sure we continue to be competitive|
|To carry out checks for the purposes of keeping your money and personal data secure, detecting and preventing fraud and money laundering, and to check your identity before we provide services to you.||• Where necessary to carry out our agreement or to take steps to enter into an agreement with you • Where the law requires this • It is in our legitimate interests to detect, prevent and investigate fraud, money laundering and other crimes and to verify your identity to protect our business|
|To tell you about our products and services, and the products and services of other associated organisations (unless you have opted out of marketing, or we are prevented by law from doing so).||• It is in our legitimate interests to give you information about our products and services that you may be interested in|
|To recover debt and exercise other rights we have under any agreement with you, as well as to protect ourselves against harm to our rights and interests in property.||• Where necessary to carry out our agreement or to take steps to enter into an agreement with you • Where the law requires this • It is in our legitimate interests to make sure that our business is run prudently (that is, with consideration for what may happen in the future) and we can recover the debts owed to us, as well as making sure our assets are protected|
|To prevent and detect fraud, money laundering and other crimes (such as identity theft) (For example, we may use CCTV in and around our premises to monitor and collect images or voice recordings (or both).||• Where the law requires this • It is in our legitimate interests to prevent and investigate fraud, money laundering and other crimes, to check your identity to protect our business, and to keep to laws that apply to us|
|To keep to laws and regulations that apply to us and co-operate with regulators and law enforcement organisations.||• Where the law requires this • It is in our legitimate interests to protect our business • If we are using sensitive personal data, it is in the public interest|
|For assessment, testing (including systems tests), analysis (including credit and behaviour scoring) and market research. We may use this information to analyse our credit risk. We may also use your information to prepare statistical, market-analysis and product-analysis reports to be shared internally and externally, including with non-Shard Capital companies. The information we share is never personal to you and nobody will be able to identify you from it.||• Where the law requires this • It is in our legitimate interests to develop, build, improve and put in place business models, systems, products and services, and to produce and provide reports for our benefit and the benefit of others and provide a high standard of service|
|To personalise the marketing messages you receive so they are more relevant and interesting.||• It is in our legitimate interests to provide information more relevant to clients’ circumstances|
Sensitive Personal Data
Some of the information we collect is sensitive personal data (also known as special categories of data). We may process personal data that relates to your health (such as your medical history) and any criminal convictions and offences. If we use sensitive personal data, we will usually do so on the legal basis that it is in the wider public interest, to establish, take or defend any legal action or, in some cases, that we have your permission.
In any case, we will keep to all laws that apply.
|What we use your sensitive personal data for||The legal basis for doing so|
|To carry out due diligence checks (background checks, such as sanctions checks), which may reveal political opinions or information about criminal convictions or offences.||• It is in the wider public interest|
|We may use your medical information for some of the purposes set out above (for example, to settle complaints and answer questions, to help provide, manage and personalise our services, flagging up special circumstances.||• It is in the wider public interest • We have your permission to do so, such as placing markers on your account which tell us you are hard of hearing or have poor eyesight|
|To keep to laws and regulations that apply to us, and co-operate with regulators and law enforcement organisations.||• It is in the wider public interest|
We may ask you for permission to collect and use certain types of personal data when we must do so by law (for example, when we process sensitive personal data or place cookies or similar technologies on devices or browsers). If we ask you for permission to process your personal data, you can refuse, or withdraw your permission at any time, by using the contact details at the end of this privacy notice or, if in relation to cookies or similar technologies, by clicking on the ‘C’ logo in the bottom right-hand corner of the webpage (please see here on Cookies).
Disclosure of your personal data
We may share the personal data we hold about you across Shard Capital to enable us to better understand your needs and run your accounts in the efficient way that you expect. Your personal data may also be used for customer modelling and statistical or trend analysis, with the aim of developing and improving our products and services.
We will never sell, trade, or rent your Personal Data to others; however, we may share your information with selected third parties including:
- our service providers, suppliers and sub-contractors for the performance of any contract we have entered into with them. They may then process this data on our behalf to help run some of our internal business operations such as IT services;
- governmental or judicial bodies or agencies to comply with our legal and regulatory obligations;
- fraud prevention agencies and other companies and organisations to prevent or detect financial and other crime;
- non-affiliated companies may sometimes be used to provide certain services such as preparing and mailing prospectuses, reports, account statements and other information, conducting research on client satisfaction and gathering shareholder proxies;
- advertisers and advertising networks that require the data to select and serve adverts about our services to you and others. It will only be passed to third party advertisers to provide services on behalf of Shard Capital;
- data, service and software providers that assist us in the improvement and optimisation of our sites;
- credit reference agencies or a verification company to conduct checks on you to verify the information you have provided.
Where we share your data with third parties, we ensure that your data is held securely.
Sharing information about you with tax authorities outside the UK
We would usually supply aggregated data to tax authorities.
We may be required by law or regulation to share information about your accounts with relevant tax authorities, either directly or through the local tax authority. The tax authority we share the information with could then share that information with other appropriate tax authorities. If we need extra documents or information from you about this, you must provide them. If you don’t, we may need to close your account or, if the law or other regulations require us to do so, we’ll withhold parts of certain payments received into your account and pass the withheld funds to the relevant tax authorities.
Do we make automated decisions concerning you?
We do not carry out automated profiling on you; however we may send your details on to a reference agency necessary for compliance with a legal obligation – for example in connection with fraud prevention or anti-money laundering.
How we store personal data
Safeguarding the privacy of your information is important to us, whether you interact with us personally, by phone, by mail, over the internet or any other electronic medium.
We hold personal data in a combination of secure computer storage facilities and paper-based files and other records. Steps are taken to protect the personal data we hold from misuse, loss, unauthorised access, modification or disclosure.
When we consider that personal data is no longer needed, we will remove any details that will identify you or we will securely destroy the records. However, we may need to maintain records for a significant period of time in line with our regulatory obligations. For example, we are subject to certain anti-money laundering laws which require us to retain verification of identity records for a period of five years after our business relationship with you has ended.
If we hold any personal data in the form of a deed, we will hold this deed in its complete form for a period of 12 years after our business relationship with you has ended.
If we hold any personal data in the form of a recorded communication, by telephone, electronic mail, in person or otherwise in relation to our regulatory obligations as detailed above, this information will be held in line with local regulatory requirements which will generally be between five and seven years after our business relationship with you has ended.
Where you have opted out of receiving marketing communications we will hold your details (e-mail address) on our suppression list so that we know you do not want to receive these communications.
Management and safeguarding of personal data
Our approach to information security does not rely solely upon a written security policy or standards. We also maintain the confidentiality, integrity and availability of information through the protection of our technology resources and assets.
Measures include, but are not limited to:
- Desktop and laptop full disk encryption
- Removable media encryption tools
- Desktop and laptop firewalls
- Antivirus and anti-malware software
- Multifactor authentication approaches
- Automated patching and security vulnerability assessments
- Strong physical, environmental, network and perimeter controls
- Intrusion detection and prevention technologies
- Monitoring and detection systems
- Dark Web monitoring
- Brand exploitation detection
- Geo blocking
In addition, we invest considerable time and resources into future state security technologies. We align our information security strategy to our technology product road map and maintain a close association with our technology service offerings. This properly positions us to address security issues that might otherwise threaten the confidentiality, integrity or availability of our technology resources. Our teams offer tools designed to help us collaborate with Shard Capital clients and to securely and reliably transfer and store data.
Your rights as a data subject
The data protection laws give you certain rights in relation to the data we hold on you. These include the following rights to:
- request a copy of the personal data we hold about you;
- request that we supply you (or a nominated third party) with a copy of the personal data that you provided to us;
- inform us of a correction to your personal data;
- exercise your right to restrict our use of your personal data;
- exercise your right to erase your personal data; or
- object to the ways in which we are using your personal data.
Your ability to exercise these rights will depend on a number of factors and in some instances, we will not be able to comply with your request e.g. because we have legitimate grounds for not doing so or where the right doesn’t apply to the particular data we hold on you. If you would like more information on these rights, please contact email@example.com
Where you have provided consent to our use of your data, you also have the unrestricted right to withdraw that consent at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent.
Transfers of personal data outside the UK or EEA
When we or fraud prevention agencies share information with organisations in another jurisdiction, we will ensure they agree to apply equivalent levels of protection for personal data. If this is not possible – for example because we are required by law to disclose information – we will ensure the sharing of that information is lawful. Also, if they are not in a jurisdiction that is regarded as having “adequate” levels of protections for personal data, we will put in place appropriate safeguards (such as contractual commitments), in accordance with applicable legal requirements, to ensure that your data is adequately protected.
If you ask us to share information with third parties who provide payment initiation or account services (either in the UK or in another country), we will rely on your request (whether direct or indirect) to share the relevant information. We don’t have control over such third-party practices. We recommend that you (or the person(s) with authority over your account) consider the information-handling practices of that third party before requesting their services by reading their privacy notices or contacting them to ensure you are comfortable with how they will handle your information.
Links to external websites
Our sites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies or how such websites collect and use your data. Please check these policies before you submit any personal data to these websites.
What happens if our business changes hands?
We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.
Updates to the Privacy Notice
We reserve the right to update this Notice to reflect any legal changes or changes to the way in which we process your personal data. The updated Notice will be published on our website and comes into effect at the time of publication on the website.
If you have any queries regarding privacy issues or the content of this Privacy Notice, you can email firstname.lastname@example.org or write to us at: Shard Capital, 70 St Mary Axe, London, EC3A 8BE.
What if you have a complaint?
If you have a concern about any aspect of our privacy practices, you can make a complaint. This will be acted upon promptly. To make a complaint, please contact us via email@example.com. If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with our supervisory authority, the Information Commissioner’s Office (ICO). You can find details about how to do this on the ICO website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113.