Privacy Policy
As with everything these days we have pages of legal stuff we are obliged to produce. We know that not many people read through all of this. In a nutshell, for the more impatient amongst us, here are the headlines. We collect some data from our website users through our quizzes, the ratings you leave and other web-based services. Our interest in this data is at the aggregate level – we use it to understand who has ISAs, what people make of money and what ‘people like you’ want financial products to look like. We do use this data to fuel our research but we do not sell your individual details or use anything which could identify an individual.
Introduction
Boring Money is committed to protecting the privacy and security of your personal data. We have developed this privacy notice to inform you of the data we collect, what we do with your data, what we do to keep it secure as well as the Rights you have over your personal data.
Throughout this notice we refer to data protection legislation which includes the UK GDPR and other laws mandating data protection including (but not limited to) the Privacy Electronic Communication Regulations 2003 and 2011.
Boring Money is a data controller as we have determined the purposes of why personal data should be collected and processed, and this notice is designed to ensure viewers of this notice are well informed of our data processing activities.
As we are based and headquartered in the United Kingdom (UK), we are registered with the Information Commissioners Office (the ICO) with registration number ZA192588.
You can contact our head office using the details below.
Post:
10 Lower Thames Street
London
EC3R 6AF
United Kingdom
Email: info@boringmoney.co.uk
We have also appointed an external data protection officer (DPO) and their details are as follows:
Evalian Limited
West Lodge
Leylands Business Park
Colden Common
Hampshire
SO21 1TH
United Kingdom
Email: dpo@evalian.co.uk
Phone: +44 (0)333 050 0111
Website: www.evalian.co.uk
Lawful basis for data processing
The UK GDPR requires Boring Money to identify appropriate lawful bases to process personal data. The lawful basis we rely on as a data controller are detailed below with brief examples for when they may apply:
Consent
For opting into marketing communications, newsletters, competitions etc.
Contractual obligation
To take steps into entering and concluding contracts of employment.
Legal obligation
Where needed for tax reasons such as UK HMRC purposes.
Vital interests
To ensure we know about medical conditions of our employees or onsite visitors should they require medical attention.
Legitimate interests
To help answer any questions or concerns that may be sent to us from individuals who we may have no prior existing relationship with.
There may be instances of where we may need to process certain categories of data referred to as Special Category Personal Data. These may include personal data related to health, race and ethnicity as examples, but where identified and needed, we will ensure we consult our DPO to ensure the relevant special conditions are applied and documented where needed.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Personal data collected
Due to the nature of our business and data processing activities we would collect and process various categories of personal data from various data subjects. The below gives examples of different categories of personal data collected and processed:
Identity (e.g. full name, email)
Contact details
Recruitment data
Profile information
The above list is representative and non-exhaustive.
We collect personal data through several means. Examples can include:
When you complete any online forms
Create an account on our website
Enter a competition, promotion or complete a quiz/survey
Give us feedback (e.g. complaint or compliments)
From publicly availably sources such as Companies House and the Electoral Register based inside the EU
The above list is representative and non-exhaustive.
How we use personal data
We may use personal data for various activities which can include the following activities:
For own internal records
To monitor website usage
To process job applications
Administer profiles
Action any data subject right requests
Process an order for a product or other service
Seek your views or comments on the services we provide
Notify you of changes to our services
Handle an enquiry or complaint you have made
Sending marketing communications and other company updates
The above list is non-exhaustive and representative. For more information to how we use personal data for specific activities you can contact us as detailed above.
Recruitment and criminal data processing
From time to time we may advertise job vacancies with third party recruitment agencies in the UK only or through websites such as Indeed or LinkedIn. When we receive candidate information from a third-party agency we may receive personal data such as your name, CV information and other information which may be used to help your application to stand out (e.g. may be immediately available). We will be sure to only retain candidate data for as long as reasonably necessary which is typically 6 months if a candidate is unsuccessful.
The same applies with any direct applications received.. If we screen a profile and CV information and the candidate is unsuccessful we will only make sure we only have that data for as long as necessary which again would be up to 6 months.
Positions within our company will not require a criminal background check. If this was to change we will be sure to update our policies and notices where needed.
Children’s data
Our services are not specifically designed for children and for those under the age of 18. If we do become aware of anyone using our services who may be under 18 we will take all reasonable steps to ensure we do not process their data any further and will communicate this to them directly.
Data sharing
Due to the nature of our business there may be at times we are required to share data with other teams and members of our organisation. Examples of when we may need to share data can include for recruitment purposes, IT concerns, and any questions or concerns regarding data protection received from other internal teams.
Please note there may also be instances where we may need to share data with any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation or (ii) to exercise, establish or defend our legal rights.
International data transfers
There may be instances where we may need to transfer your data outside the UK. We may need to share your data with companies who are in the European Economic Area (The EU member states, Norway, Iceland and Liechtenstein), in an adequate listed country or in other third countries who may not have similar data protection laws to the UK. If we need to transfer your information outside the UK we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this notice.
Cookies
We use cookies on our websites. More information to how we use cookies can be found in our cookie notices where you can also change your consent.
Marketing communications
We would like to send you marketing news and updates regarding our company, products and services should you like to receive them. In order to send you these communications we would require your consent, and you can always change your preferences (i.e. opt out) by clicking on the relevant unsubscribe link at the bottom of the email. You also have the ability to opt out by contacting us over phone or email should you chose to do so.
Automated decision-making and profiling
We do not conduct any automated decision making and profiling within our organisation.
Data retention
We regularly review our data retention practices to ensure we only retain personal data for as long as necessary in line with our data processing activities. We have created data retention policies and accompanying data retention schedules to help document relevant retention periods.
As a data controller we will retain personal data for as long as necessary in line with various requirements, such as for example, best practice recommendations (e.g. ICO recommendations), relevant guidelines (e.g. ACAS guidance) or for as long as mandated under specific legislation (e.g. HMRC requirements). We will also determine appropriate retention periods based on our legitimate interests where identified.
When data is needed to be deleted we will either delete manually or anonymise it if deletion is not possible.
Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
If we become aware of any loss, misuse, alteration of personal data we will work closely with our IT team, DPO and other parties as necessary to investigate the incident at hand. We have put into place the relevant procedure and policies in place to investigate, mitigate and report (when needed to relevant parties) such instances.
Data protection rights
If you are based in the UK you have several Rights to how an organisation processes your personal data. The Rights are as follows:
Right to be informed
Right to access data
Right to rectification
Right to erasure
Right to restrict processing
Right to objection
Right to portability
Right not to subject to automated decision making and profiling
If you would like to exercise any of the above Rights you can do so by sending us a written request to our email address mentioned above.
Concerns and complaints
We understand you may have concerns and complaints to this notice and any aspects to how we process personal data. If you would like to contact us directly to talk to us about a concern or to raise a complaint, you can do so by using our contact details above.
You can also submit a complaint directly to the Information Commissioners Office (the ICO), the UK supervisory authority for data protection in the UK, via this link https://ico.org.uk/make-a-complaint/.
Review and updates
We will review this notice and make changes to it from time to time. We recommend that you check this notice to see where changes have been made and to ensure you are able to review updated information at all times.