1. Who we are

2. Data we collect

As a data controller we collect a variety of data in order to deliver our services. Whenever we collect Personal Information from you, we let you know and you will be able to access the following precise information:

We have provided further detail below about the specific types of data we collect and our reasons for doing so.

2.1 What data do we ask you to provide to us, and why?

We collect your personal data typically when you register for our services, make a purchase, enter a sales promotion or otherwise interact with us. Below are examples of the categories of the data we collect on you.

“Personal Data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together below. Not all of the following types of data will necessarily be collected from you but this is the full scope of data that we collect and when we collect it from you:

• Profile/Identity Data: This is data relating to your first name, last name, gender, date of birth.
• Contact Data: This is data relating to your addresses, email addresses, phone numbers.
• Company Data: Where you choose to make contributions into a Raindrop pension via a limited company we may collect data on this company such as the name, registered address and registration number.
• Marketing and Communications Data: This is your preferences in receiving marketing information and other information from us.
• Financial Data: These are your banking details e.g. your account number and sort code.
• Company Financial Data: Where you choose to make contributions into a Raindrop pension via a limited company, we will collect the relevant banking details e.g. your business bank account number and sort code.
• Transactional Data: This is information of details and records of all payments you have made for our services or products.
• Previous Pension Data: This is data we collect to find and, where relevant, transfer old pensions to and from Raindrop as you may request. This includes previous pension provider names, scheme names, plan reference numbers, old employers, employment dates and previous address history.
• Technical Data: This is your IP address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to engage with us.
• Customer Support Data: This includes feedback, conversation scripts and survey responses.
• Usage Data: information about how you use our website, products and services.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).

We may collect information about criminal convictions and offences to comply with our legal & regulatory obligations when opening a Raindrop pension

2.2 The Legal Basis for Collecting That Data

There are a number of justifiable reasons under the GDPR that allow collection and processing of Personal Data. The main avenues we rely on are:

• "Consent": Certain situations allow us to collect your Personal Data, such as when you tick a box that confirms you are happy to receive email newsletters from us, or ‘opt in’ to a service.
• "Contractual Obligations": We may require certain information from you in order to fulfil our contractual obligations and provide you with the promised service.
• "Legal Compliance": We’re required by law to collect and process certain types of data, such as fraudulent activity or other illegal actions.
• "Legitimate Interest": We might need to collect certain information from you to be able to meet our legitimate interests - this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your rights, freedom or interests. Examples could be your address, so that we know where to deliver something to, or your name, so that we have a record of who to contact moving forwards.

On the Raindrop website myraindrop.co.uk

In the Raindrop App app.myraindrop.co.uk or other subdomains of myraindrop.co.uk

If you have agreed to being part of user research

We may occasionally reach out to conduct more in-depth research with users. In these cases, we will explicitly ask for your consent to process the following data.

2.3 Data we collect from third parties

We collect the following data from third parties to fulfil our legal and regulatory requirements.

3. Our other legitimate interests in using your data

Taking into account your interests, we process yourpersonal data for the following purposes:

3.1 To verify your identity and administer your account

We process and use your personaldata to ensure the functionality and security of our products and services, toidentify you and the instructions you give us, and to prevent and detect fraudand other misuses.

3.2 Development of products and services

We process and use your personal data to develop our products and/or services. However, for the most part we only use aggregate and statistical information in the development of our products and services, and not data directly identifiable to you. We may also process and use your personal data to personalise our offerings and to provide you with service more relevant to you, for example, to make recommendations and to display customised content and advertising. We may combine personal data collected in connection with your use of a particular product and/or service with other personal data we may hold about you, unless the purpose for which we collected that data is incompatible with amalgamation.

3.3 Communicating with you and marketing

We process and use your personal data to communicate with you, for example, to provide information relating to our products and/or services you are using or to contact you for customer satisfaction queries. We may process and use your personal data for marketing. Market purposes may include using your personal data for personalised marketing or research purposes in accordance with applicable laws, for example, to conduct market research and to communicate our products, services or promotions to you via our own or third parties’ electronic or other services. When contacting you for the purpose of marketing, we will take into account any preferences you have expressed to us, including any desire not to receive marketing.  

3.4 Automated decision making and profiling

We may process and use your personal data for profiling for such purposes as targeted direct marketing and improvement of our products or services. We may also create aggregate and statistical information based on your personal data. Profiling includes automated processing of your personal data for evaluating, analysing or predicting your personal preferences or interests in order to, for example, send you marketing messages concerning products or services best suitable for you.

3rd parties that we use in respect of identity checking and fraud prevention may offer us an automated result based on your personal data.

These results are only used in part of a manual decision process on whether we wish to offer a Raindrop account to you. It is our right to decide whether to offer an account or not.

3.5 Tracking remuneration due to us or our partners

We use your personal data to ensure that we receive the remuneration or commission due to us from, or payable by us to, any third-party product providers or distributors.

3.6 Business continuity

In the event of an interruption or cessation of our business, we need to ensure that we can implement our business continuity procedures (for example, we may need to rebuild our IT systems) or wind down planning to protect your interests. This may involve a transfer of your personal data to a third party (see below).

4.   What personal data do we share with third parties and who are they?

To power our services, we will transfer your personal data to the third parties noted below, or as obligated by law.

As our Principal for regulatory manners, Resolution Compliance Limited is a joint controller of your personal data in relation to our regulated activities.

4.1 Material service providers

We will transfer your personal data to the following third parties who provide us with a material service:

4.2 Generic service providers

We may transfer your personal data to third parties who control or process personal data on our behalf to enable the efficient technical and logistical provision of our services. These service providers supply us with cloud data storage, data security services, customer relationship management software, and support ticketing services. We may substitute a technical or logistical service provider from time to time. Such parties are generally not permitted to use your personal data for any other purposes than for what your personal data was collected, and we require them to act consistently with applicable laws and this Notice as well as to use appropriate security measures to protect your personal data.

4.3 Event driven transfers

We may transfer your personal data to third parties in certain events where is it necessary to protect your, or our, legitimate interests. This includes the cessation, sale or transfer of our business; civil or criminal legal, or regulatory, proceedings; or insurance claims.

4.4 Ancillary service providers

With your consent and to allow us to provide other services that you have requested from us we may share your data with ancillary service providers such as accountants or financial planners. We will only do this with your consent and if you have requested this service.

4.5 Pension finding and transfer requests

With your consent and to allow us to provide the service of finding or transferring an old pension that you have requested from us we may share your data with relevant ceding pension providers. We will only do this with your consent and if you have requested this service.

4.6 International transfers 

Our products and services may be provided using resources and servers located in various countries around the world. Therefore, your personal data may be transferred outside the country where you use our services, including to countries outside the European Economic Area (EEA). We will only transfer data in such circumstances if the level of data protection in that jurisdiction is deemed adequate, or if there are appropriate safeguards in place to protect your privacy.  

5. How long do we keep personal data?

We will only keep your personal data for so long as it is reasonable for us to do so, depending upon the nature of the data and our processing, and the grounds upon which we collected it. In general, we will delete redundant account information within 30 days of our relationship ending. However, we are obliged to keep certain records of our relationship to comply with the FCA’s rules, in which case we will instead restrict access through our archiving processes. Subject to any actual or potential legal claim, the maximum time that we envisage retaining any of your information is seven years, after which time it will be destroyed.

Information we use for marketing purposes will be kept by us until you notify us that you no longer wish to receive this information. If you do notify us that you no longer wish to receive marketing information we will keep an encrypted version of your contact information to ensure we respect your wishes.

6. How do we keep your personal data secure?

We keep your data secure:

• by following internal policies of best practice and training for staff
• by restricting access to personal data and preventing unauthorised access, use, destruction or disclosure
• by conducting privacy impact assessments in accordance with the law and our business policies
• by encrypting personal data
• by using Secure Socket Layer (SSL) technology when information is submitted to us online
• by managing third party risks through security reviews and contracts

In the unlikely event of a criminal breach of our security we will inform the relevant regulatory body within 72 hours and, if your personal data were involved in the breach, we shall also inform you.

7. Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

7.1 Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you have requested information from us or opened an account with us and you have not opted out of receiving that marketing.

7.2 Third-party marketing

We will getyour express opt-in consent before we share your personal data with any thirdparty for marketing purposes.

7.3 Opting out

You can ask us or third parties to stop sending you marketing messages at any time by letting us know through the Contact Us section of our website or by following the optout links on any marketing message sent to you. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of for other purposes.

8. Cookies

A cookie is a small piece of code, sent from a website sends to a user's internet browser, which allows that website to track the user's previous activity when they return to that website. This allows us to provide you with the experience that you expect from us and lets us continually improve our service. You can block cookies by changing the settings on your browser, but if you do you will not be able to access all or parts of our website.

The types of cookies we use are:

• Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
• Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

We do not have any control over the use of cookies by third parties, including our partners and affiliates. To manage cookies from third party websites you will need to visit their site to adjust your settings.

For more information on our use of cookies you can view our cookie policy here.

9. Third party links

This website may include links to third-party websites,plug-ins and applications. Clicking on those links or enabling thoseconnections may allow third parties to collect or share data about you. We donot control these third-party websites and are not responsible for theirprivacy statements. When you leave our website, you should read the privacynotice of every website you visit.

10. Your rights

You have the following rights over your data, depending on the basis on which it is held:

• Right to be informed. This Privacy Policy constitutes our informing you of how we use your personal data and your rights
• Right of access. You have the right to understand how we process your personal data and on which legal basis as provided in this Privacy Policy. You also have the right to request access to your personal data.
• Right to rectification. You have the right to correct any incorrect personal data we store about you. You can change your own personal data in most cases or else speak with our Customer Support team.
• Right to erasure. Also known as the right to be forgotten, you may ask for your personal data to be deleted. Please note that this will constitute an account closure in most cases. We are legally obliged to retain data however even after an account closure – see How long do we keep personal data?
• Right to restrict processing. You have the right to restrict our processing of your personal data.
• Right to data portability. You have the right for your personal data to be exportable in easy to use, open formats such as CSV.
• Right to object to processing of your personal data in certain circumstances, and
• Rights related to automated decision-making i.e. where no humans are involved, and profiling i.e. where certain personal data is processed to evaluate an individual – see Automated decision making and profiling

11. Changes to our privacy policy and control

We may change this privacy policy from time to time. When we do, we will let you know by changing the date on this policy and notifying you of significant changes. By continuing to access or use our services after those changes become effective, you agree to be bound by the revised privacy policy.

12. Contact us

We are Raindrop and our address is Runway East, London Bridge, 20 St Thomas Street, London SE1 9RS, UK. You can contact our Data Protection Officer at privacy@myraindrop.co.uk.