1. Who we are

2. Data we collect

As a data controller we collect a variety of data in order to deliver services. Whenever we collect Personal Information from you, we let you know, and you will be able to access the following precise information:

We have provided further detail below about the specific types of data we collect and our reasons for doing so.

2.1 What data do we ask you to provide to us, and why?

We collect your personal data typically when you register for our services, make a purchase, enter a sales promotion, or otherwise interact with us. Below are examples of the categories of the data we collect on you.
‍
“Personal Data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
‍
We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together below. Not all of the following types of data will necessarily be collected from you, but this is the full scope of data that we collect and when we collect it from you:

• Profile/Identity Data: This is data relating to your first name, last name, gender, date of birth as described in this policy for the particular channel through which we deal with you.
• Contact Data: This is data relating to your addresses, email addresses, phone numbers.
• Marketing and Communications Data: This is your preferences in receiving marketing information and other information from us.
• Previous Pension Data: This is data we collect to find and, where relevant, transfer old pensions to and from Raindrop as you may request. This includes previous pension provider names, scheme names, plan reference numbers, old employers, employment dates and previous address history.
• Technical Data: This is your IP address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to engage with us.
• Customer Support Data: This includes feedback, conversation scripts and survey responses.
• Usage Data: Information about how you use our website, products, and services.

2.1.1 Sensitive Personal Data

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership and genetic and biometric data).

2.2 The Legal Basis for Collecting That Data

There are a number of justifiable reasons under the GDPR that allow collection and processing of Personal Data. The main avenues we rely on are:

• "Consent": Certain situations allow us to collect your Personal Data, such as when you tick a box that confirms you are happy to receive email newsletters from us, or ‘opt in’ to a service.
• "Contractual Obligations": We may require certain information from you in order to fulfil our contractual obligations and provide you with the promised service.
• "Legal Compliance": We’re required by law to collect and process certain types of data, such as fraudulent activity or other illegal actions.
• "Legitimate Interest": We might need to collect certain information from you to be able to meet our legitimate interests - these covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your rights, freedom or interests. Examples could be your address, so that we know where to deliver something to, or your name, so that we have a record of who to contact moving forwards.

On the Raindrop website myraindrop.co.uk and ancillary websites to which this policy applies:

In the white-label Raindrop Apps we build for our clients that are hosted on subdomains of myraindrop.co.uk or through pension finding services that are powered by Raindrop and offered by our clients (through APIs/ iframe) we may collect the following:

If you have agreed to being part of user research

We may occasionally reach out to conduct more in-depth research with users. In these cases, we will explicitly ask for your consent to process the following data.

2.3 Data we collect from third parties

We collect the following data from third parties to fulfil our legal and regulatory requirements.

3. Our other legitimate interests in using your data

Taking into account your interests, we process your personal data for the following purposes:

3.1 To provide the service you have asked of us

We process and use your personal data to provide the service that you have asked of us, either directly or through our clients.

3.2 To verify your identity and administer your account

We process and use your personal data to ensure the functionality and security of our products and services, to identify you and the instructions you give us, and to prevent and detect fraud and other misuses.

Data that is supplemented from third-parties such as Credit Referencing Agencies is used for the purposes of identifying you and your pension policy at a ceding pension provider as part of our pension finding service.

3.3 Ensuring accurate and up to date account data

Data that is supplemented from third-parties such as Credit Referencing Agencies may also be used for general account management to ensure that your contact details are current for GDPR purposes and to ensure that you receive important communications with regards to your Raindrop pension and our pension finding service.

Where you have signed up for our client's service(s), and where they have requested us to, we may also use data supplemented from third-parties such as Credit Referencing Agencies for their general account management to ensure that your contact details are current for GDPR purposes within their systems and to ensure that you receive important communications with regards to services they offer you.

3.4 Development of products and services

We process and use your personal data to develop our products and/or services. However, for the most part we only use aggregate and statistical information in the development of our products and services, and not data directly identifiable to you. We may also process and use your personal data to personalise our offerings and to provide you with service more relevant to you, for example, to make recommendations and to display customized content and advertising. We may combine personal data collected in connection with your use of a particular product and/or service with other personal data we may hold about you, unless the purpose for which we collected that data is incompatible with amalgamation.

3.5 Communicating with you and marketing

We process and use your personal data to communicate with you, for example, to provide information relating to our products and/or services you are using or to contact you for customer satisfaction queries. We may process and use your personal data for marketing. Market purposes may include using your personal data for personalised marketing or research purposes in accordance with applicable laws, for example, to conduct market research and to communicate our products, services or promotions to you via our own or third parties’ electronic or other services. When contacting you for the purpose of marketing, we will take into account any preferences you have expressed to us, including any desire not to receive marketing.

3.6 Automated decision making and profiling

We may process and use your personal data for profiling for such purposes as targeted direct marketing and improvement of our products or services. We may also create aggregate and statistical information based on your personal data. Profiling includes automated processing of your personal data for evaluating, analysing, or predicting your personal preferences or interests in order to, for example, send you marketing messages concerning products or services best suitable for you.

3rd parties that we use in respect of identity checking and fraud prevention may offer us an automated result based on your personal data.

These results are only used in part of a manual decision process on whether we wish to offer a Raindrop account to you. It is our right to decide whether to offer an account or not.

3.7 Tracking remuneration due to us or our clients

We use your personal data to ensure that we receive the remuneration or commission due to us from, or payable by us to, any third-party product providers or distributors.

3.8 Business continuity

In the event of an interruption or cessation of our business, we need to ensure that we can implement our business continuity procedures (for example, we may need to rebuild our IT systems) or wind down planning to protect your interests. This may involve a transfer of your personal data to a third party (see below).

4.   What personal data do we share with third parties and who are they?

To power our services, we will transfer your personal data to the third parties noted below, or as obligated by law.

As our Principal for regulatory manners, Resolution Compliance Limited is a joint controller of your personal data in relation to our regulated activities.

4.1 Material service providers

We may transfer your personal data to the following third parties who provide us with a material service:

4.2 Generic service providers

We may transfer your personal data to third parties who control or process personal data on our behalf to enable the efficient technical and logistical provision of our services. These service providers supply us with cloud data storage, data security services, customer relationship management software, and support ticketing services. We may substitute a technical or logistical service provider from time to time. Such parties are generally not permitted to use your personal data for any other purposes than for what your personal data was collected, and we require them to act consistently with applicable laws and this Notice as well as to use appropriate security measures to protect your personal data.

4.3 Event driven transfers

We may transfer your personal data to third parties in certain events where is it necessary to protect your, or our, legitimate interests. This includes the cessation, sale, or transfer of our business; civil or criminal legal, or regulatory, proceedings; or insurance claims.

4.4 Ancillary service providers

With your consent and to allow us to provide other services that you have requested from us we may share your data with ancillary service providers such as accountants or financial planners. We will only do this with your consent and if you have requested this service.

4.5 Pension finding requests

With your consent and to allow us to provide the service of finding an old pension that you have requested from us we may share your data with relevant clients through whom you have made this request. We will only do this with your consent and if you have requested this service.

4.6 Data rectification requests

Where you have signed up for our client's service(s), and where they have requested us to, we may offer a data rectification service where we share up to date information, such as address and previous name data to ensure that your contact details are current for GDPR purposes within their systems and to ensure that you receive important communications with regards to services they offer you.

4.7 International transfers 

Our products and services may be provided using resources and servers located in various countries around the world. Therefore, your personal data may be transferred outside the country where you use our services, including to countries outside the European Economic Area (EEA). We will only transfer data in such circumstances if the level of data protection in that jurisdiction is deemed adequate, or if there are appropriate safeguards in place to protect your privacy.

5. How long do we keep personal data?

We will only keep your personal data for so long as it is reasonable for us to do so, depending upon the nature of the data and our processing, and the grounds upon which we collected it. In general, we will delete redundant account information within 12 months of our relationship ending. However, we are obliged to keep certain records of our relationship to comply with the FCA’s rules, in which case we will instead restrict access through our archiving processes. Subject to any actual or potential legal claim, the maximum time that we envisage retaining any of your information is seven years, after which time it will be destroyed.

Information we use for marketing purposes will be kept by us until you notify us that you no longer wish to receive this information. If you do notify us that you no longer wish to receive marketing information, we will keep an encrypted version of your contact information to ensure we respect your wishes.

6. How do we keep your personal data secure?

We keep your data secure:

• by following internal policies of best practice and training for staff
• by restricting access to personal data and preventing unauthorised access, use, destruction, or disclosure
• by conducting privacy impact assessments in accordance with the law and our business policies
• by encrypting personal data both at rest and in flight
• by using Secure Socket Layer (SSL) technology when information is submitted to us online
• by managing third party risks through security reviews and contracts

In the unlikely event of a criminal breach of our security we will inform the relevant regulatory body within 72 hours and, if your personal data were involved in the breach, we shall also inform you.

7. Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

7.1 Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you have requested information from us or opened an account with us and you have not opted out of receiving that marketing.

7.2 Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

7.3 Opting out

You can ask us or third parties to stop sending you marketing messages at any time by letting us know through the Contact Us section of our website or by following the optout links on any marketing message sent to you. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of other purposes.

8. Cookies

A cookie is a small piece of code, sent from a website sends to a user's internet browser, which allows that website to track the user's previous activity when they return to that website. This allows us to provide you with the experience that you expect from us and lets us continually improve our service. You can block cookies by changing the settings on your browser, but if you do you will not be able to access all or parts of our website.
‍
The types of cookies we use are:

• Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use ofe-billing services.
• Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

We do not have any control over the use of cookies by third parties, including our clients and affiliates. To manage cookies from third party websites you will need to visit their site to adjust your settings.
‍
For more information on our use of cookies you can view our cookie policy here.

9. Third party links

This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, you should read the privacy notice of every website you visit.

10. Your rights

You have the following rights over your data, depending on the basis on which it is held:

• Right to be informed. This Privacy Policy constitutes our informing you of how we use your personal data and your rights
• Right of access. You have the right to understand how we process your personal data and on which legal basis as provided in this Privacy Policy. You also have the right to request access to your personal data.
• Right to rectification. You have the right to correct any incorrect personal data we store about you. You can change your own personal data in most cases or else speak with our Customer Support team.
• Right to erasure. Also known as the right to be forgotten, you may ask for your personal data to be deleted. Please note that this will constitute an account closure in most cases. We are legally obliged to retain data however even after an account closure – see How long do we keep personal data?
• Right to restrict processing. You have the right to restrict our processing of your personal data.
• Right to data portability. You have the right for your personal data to be exportable in easy to use, open formats such as CSV.
• Right to object to processing of your personal data in certain circumstances, and
• Rights related to automated decision-making i.e., where no humans are involved, and profiling i.e., where certain personal data is processed to evaluate an individual – see Automated decision making and profiling

10.1 Right to access

You have the right to request access to the data we have on file for you. Before providing any data we will attempt to verify your identity and where we are not satisfied with the outcome we may refuse the request; we do this to keep your data secure.

When requesting this data we aim to fulfil your request within 30 days and to provide the data in an easily accessible format such as a csv or PDF where applicable.

Where we consider a request for access to be excessively onerous, unfounded or have other legitimate reasons (such as if fulfilling the request were to break other applicable laws) we may require more than 30 days to fulfil your request or may deny the request in part or completely. We will inform you of this in these cases.

We will not charge you for the right to access your data in most circumstances unless we consider the request to be excessively onerous and are still happy to comply with it. In these cases you will be informed of the charges before confirming if you would like us to go ahead with the request.

11. Changes to our privacy policy and control

We may change this privacy policy from time to time. When we do, we will let you know by changing the date on this policy and notifying you of significant changes. By continuing to access or use our services after those changes become effective, you agree to be bound by the revised privacy policy.

12. Contact us

We are Raindrop and our address is Runway East, London Bridge, 20 St Thomas Street, London SE1 9RS, UK. You can contact our Data Protection Officer at privacy@myraindrop.co.uk.