Nucleus Foundation privacy notice
Nucleus Foundation understands that your privacy and the security of your personal information is extremely important. This notice sets out what we do with your information, how we secure it, how we collect it, and from where, as well as your rights in relation to the information we hold about you.
This privacy notice tells you what to expect us to do with your information when you contact us or use one of our services.
This notice is layered so you can easily jump to the section you need.
- We’ll tell you
- Who we are
- Why we can process your information
- What purpose we are processing it for
- How long we store it for
- Whether we share your information and with whom
- Whether we intend to transfer to another country
- Whether we do automated decision-making or profiling
When we say “we,” or “us” in this notice, we only mean the Nucleus Foundation (a charitable incorporated organisation registered with the Charity Commission with charity number 1200800).
Nucleus Foundation is the controller of the personal information we process, unless otherwise stated.
Our postal and email addresses are:
Data Protection Officer
Nucleus Financial Group
Nucleus HQ, Greenside
12 Blenheim Place
Edinburgh
EH7 5JH
We use information provided to us through interactions with you, as part of your application process, and the day to day running of your product. This can be directly from you, from your financial adviser or third parties you instruct on your behalf or other third parties such as credit reference agencies. This can also be through our online platforms, social media, or third-party links.
In general terms, we collect and use your personal information to:
- Deliver our service and meet our legal requirements.
- Verify your identity where this is required.
- Contact you, where we are allowed, by post, email, or telephone about important changes to our website, products, or services.
- Improve our services or products.
- Maintain our records.
- Process financial transactions.
- Prevent and detect crime, fraud, or corruption.
Nucleus Foundation has in place appropriate security measures designed to keep your information secure, preventing it from being lost, stolen, altered, used, accessed, or disclosed in an unauthorised way.
This includes:
- Basic information about you such as name, date of birth, gender, national insurance number, marital status, and occupation.
- Your contact details such as address, post code, email, country of residence.
- Documentation confirming your identity, tax residency, and legal authority, including photographic identification.
- Your nationality or dual nationality.
- Information connected to your product or service you use eg bank account details.
- Financial details including bankruptcy, tax status, pension information.
- Information from fraud agencies, credit reference agencies, electoral roll and other publicly available information.
- Details of other people provided as part of your product or services such as joint applicants, next of kin, power of attorney, children, or beneficiaries.
- Your correspondence with us such as letters, emails, calls or meetings.
- Images of you collected by photography or CCTV should you visit our offices or attend our events.
- Information collected automatically via cookies when you visit one of our websites or use one of our online platforms. See separate Cookie Notice for additional information.
- Information relating to your health only where it is necessary to provide a product or service to you or where required by a legal obligation.
Special Categories of Data
We may also collect and use special categories of data, including health data and criminal data. This includes:
- Medical conditions, sickness records, and information from your doctor to allow us to decide whether or not to make an early pension payment due to ill health.
- Information you provide if you are vulnerable or where we suspect you are vulnerable. We will only record this with your explicit consent which you can withdraw at any point (see your rights for more information).
- Information related to any politically exposed person, terrorist, or sanctions that you may be subject to. These checks can also contain criminal convictions or offences, and are all used to decide whether or not to continue our relationship with you.
- If a court order is received containing criminal convictions, such as fraud.
- Where we are contacted by law enforcement agencies where a customer has committed an offence or is under investigation.
Aggregated data
We also process aggregated data for any purpose. This data may be derived from your personal information but, as this data does not directly or indirectly reveal your identity it is outside the scope of GDPR. If, however, we combine or connect this aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as your information.
Whenever we use your information we must have something called a “lawful basis” for what we do. The different lawful bases we rely on are:
- Consent – you have told us you are happy for us to use your information for specific purpose(s) e.g., for the purposes of providing a grant or publicising a grant we have made to you. You can withdraw your consent at any time by contacting us.
- Legitimate Interest – the use of your information is necessary for us to conduct our business as a charity, but not where our interests are overridden by your interests or rights.
- Performance of a contract – if we enter a contract with you, we will use your information to be able to fulfil our obligations under the contract. Legal obligation - we are required to use your information by law.
We do not share your data with any other entity in the Nucleus Group.
We may share your information with others, including third party service providers, subject to applicable laws.
These third parties include:
- Companies and charities we have chosen to support us in the delivery of our grants, for example, training providers.
- His Majesty’s Revenue and Customs, regulators, and other authorities.
- Companies you ask us to share information with.
- Credit Reference Agencies to conduct anti-money laundering or identity verification services.
- Any other third party permitted by law and in the following circumstances:
- To protect the security of our business.
- To comply with court orders.
- If we sell, merge, restructure, or otherwise reorganise our business.
We only keep your information for as long as is necessary in order to perform our statutory and legal obligations. These will vary dependent on the particular circumstances. As a general rule, we will retain information about you for a period of six years following the termination of the contractual relationship between us, unless there are specific circumstances which mean we need to retain your information for longer. This could include where the record is relevant for legal proceedings, a criminal investigation, or where the information is legally required to be kept longer, for example, information relating to a pension product.
The right to access
You have a right to request that we provide you with a copy of the personal information that we hold on to you. You also have the right to be informed of (a) the source of your personal information; (b) the purposes, legal bases, and methods of processing; (c) the data controller’s identity; and (d) the entities or categories of entities your personal information may be transferred to.
The right to rectification
You have the right to request that we rectify any inaccurate personal information. We may verify the accuracy of the personal information before rectifying it.
The right to erasure
- You can request that we delete your personal information, but only where
- it is no longer required for the purposes for which it was collected
- you have withdrawn your consent (where the processing is based on consent)
- following a successful right to object (see below)
- it has been processed unlawfully
- to comply with a legal obligation to which you are subject
We are not required to delete your information where the processing is necessary
- for compliance with a legal obligation
- for the establishment, exercise, or defence of legal claims
The right to restrict the processing
You can request that we restrict your personal information, but only where
- its accuracy is being contested, to allow us to verify its accuracy
- the processing is unlawful, but you do not want it deleted
- it is no longer needed for the purposes for which it was collected, but we need it to establish, exercise, or defend a legal claim
- you have exercised your right to object, and we are verifying our legitimate interests
The right to object
You can object to any processing where we process under legitimate interest, providing you believe your fundamental rights and freedoms outweigh our legitimate interests.
If you raise an objection, we will need to demonstrate we have compelling interests to continue to process your information.
The right to portability
You have the right to ask us to provide you with an electronic file containing all your personal information we hold about you.
Rights regarding automated decision making
We do not use automated decision making, including profiling, when assessing the grant applications.
Please contact us in any of the ways set out in the contact information and further advice section if you wish to exercise any of these rights.
We ask that you please attempt to resolve any complaints about how we handle personal information with us first, but you also have the right to lodge a complaint with the Information Commissioner’s Office:
Online: https://ico.org.uk/make-a-complaint/
By phone: 0303 123 1113
By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
We keep this privacy policy under regular review and will place any updates on this website. Paper copies of the privacy policy may also be obtained by emailing dataprotection@nucleusfinancial.com.
This privacy policy was last updated in August 2023.