Privacy notice
1. Introduction
2. Third-party links
3. The Data controller
4. Why we may collect data about you
5. General information on our record retention policy
6. Category of individual
7. Website visitor
8. Visitors to our office
9. Employees
10. Job applicant
11. Investor and customer
12. Third-party supplier
13. Disclosure of your information (including outside of the European Economic Area “EEA”)
14. Storage of your personal data (including outside of the “EEA”)
15. Security
16. Your rights
17. Complaints
September 2022
1. Introduction
We respect your privacy and are committed to doing the right thing when it comes to protecting your personal data, including how we collect, use and protect your personal data. This Privacy Notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you. Download a pdf version of the Privacy Notice here.
This Privacy Notice aims to give you information on:
- Third-party links;
- Octopus Group and the Data Controller;
- Our legal bases to process personal data
- Our record retention policy
- Category of individuals and information on personal data;
- Disclosure of your personal data;
- Storage of your personal data;
- Security around individual’s personal data;
- Individual’s rights;
- Complaints
This website is not intended for children and we do not knowingly collect data relating to children.
Please take the time to read this Privacy Notice. If you have any questions about this Privacy Notice or our use of your information and/or personal data you can contact us at [email protected] or on telephone number +44 800 316 2295. This Privacy Notice may change from time to time and our up-to-date version will always be available on this website.
2. Third-party links
Our websites may include links to third-party advertisers, affiliates, websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements, notices or policies. When you leave our website, we encourage you to read the privacy notice of every website you visit. We do not accept any responsibility or liability for the privacy policies or notices on third-party websites. Please check these policies before you submit any personal data to these websites.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
3. The Data Controller
For the purpose of this Privacy Notice, the information on how we handle your personal data applies to the Octopus Group companies listed below and each is registered as a data controller (as defined under European Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) with the UK Information Commissioner’s Office (“ICO”):
Octopus Capital Limited, registration number ZA171166; and
Octopus Investments Limited (and its subsidiary companies), registration number Z6932923
Accordingly, “we”, “us” or “our” in this Privacy Notice, refers to Octopus Capital Limited and Octopus Investments Limited including its subsidiary companies.
4. Our legal bases to process personal data
There are many reasons why we may legitimately collect and process your information and/or personal data (also known as the legal basis), including:
1. Consent
In specific situations, we can collect and process your data with your consent.
2. Performance of a Contract
We may process your information where it is necessary to either; enter into a contract with you for the provision of our products or services; or to perform our obligations under a contract; or to provide you with advice or guidance in relation to our products; or services that are offered by us.
3. Legal obligation
If the law or any regulator in any competent jurisdiction requires us to, we may need to collect and process your data and also provide this to any such regulator.
4. Legitimate interest
We may process your information in the day to day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.
5. General information on our record retention policy
Records can be held on a variety of media (physical or electronic) and formats. Retention periods for records are determined based on the type of record, the nature of the activity, product or service, and applicable local legal or regulatory requirements. Retention periods may be changed from time to time based on business or legal and regulatory requirements.
We may, on exception, retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from any courts or competent authority, or in relation to an investigation by law enforcement agencies or our regulators. This is intended to make sure that we are able to produce records as evidence, if needed to those respective authorities.
Please refer to each individual category (sections 7–12, below) on how long we keep your information and/or personal data. If you believe the record you are looking for has not been stated, please contact us directly to inquire at [email protected].
6. Category of individuals
Please select the relevant section from the list below to understand how we process your information and/or personal data:
- Website visitor
- Visitors to the office
- Employee
- Job applicant
- Investor and customer
- Third-party supplier
7. Website visitor
When do we collect information about you?
- When you visit and browse our website
- When you provide your information on our contact page;
- When you fill in job application under the career section;
- When you log in as an investor
Personal data we collect and the legal bases to process
- Website: Please refer to our Cookie Notice
- Contact page: Email address, individual’s message and if provided, includes the name, telephone number and other personal data directly submitted by the individual
- Career section: Please refer to section 8, below
- Investors/Advisors Login: Login credentials and your CON number
We rely on the legitimate interest of the business as the legal basis to process your information and/or personal data. We will use your information to contact you and provide the necessary service relevant to the purpose of using our website. It will also help us to improvise the usage and functionality of our website.
Why do we need your personal data?
- Contact page: The right team in Octopus will be able to contact you when a query or comment is submitted to us
- Career section: When you submit your interest to work with us, the information you provide in the career section will help our team to review your application and the necessary credentials to consider your application. We will use the information and/or personal data provided to inform you the status of your application
- Investors Login: The login credentials will provide you the access to your investment product and profile
How long do we keep your data for?
Personal data under the Contact page will be held in our online system for 3 (three) months after it being submitted.
Information and/or personal data on the career section will be retained with our HR team for 12 (twelve) months, unless consent is given for us to hold it longer than this period.
Our customer’s information in the investor’s Login page will be recorded for as long as the investor has an online account with Octopus Investments and 5 (five) years after the account has been closed.
Cookies
Please refer to our Cookie Notice for more information and how we handle your personal data.
8. Visitors to our office
When do we collect information about you?
We may ask for your contact details prior to or upon your arrival at our office or events; or when you choose to use our guest Wi-Fi.
Personal data we collect and the legal bases to process:
- Name;
- Email address;
- Organisation you are working for;
- Date and time of your visit;
- When connected to our Wi-Fi: IP address assigned by the network, hostname of device, first and last seen, data usage, device type and the last access point (all of which when combined amount to your personal data);
- Photographs or video images (through CCTV);
- Any other information you may provide to us for specific request
The legal bases to process your personal data are:
- Legal obligation under the Health & Safety Act 1974 to use your information to facilitate your visit;
- Octopus Investment’s legitimate interest to ensure a secure and safe access to our office; and
- Consent, when you agree to share your details with us to meet us
Why do we need your personal data?
Octopus Investment has the responsibility to look after the safety of our employees and visitors when you are in our office. Only authorised individuals are allowed to be in our office making sure that it is safe and secure for everyone.
The personal data used for the purpose of our Guest Wi-Fi will be used to provide the online connection to our visitors and keep track of any connection issues.
How long do we keep your data for?
We will keep your data for 6 (six) months from your first visit and they are held in the visitor management system provided by our building landlord (Sainsbury’s). We do not separately hold your information and/or personal data outside of the system. Please visit Sainsbury’s website to read their Privacy Notice.
In the event you are using our Wi-Fi, your personal data will be held for 30 (thirty) days from the last connection. Please let us know should you wish to have your personal data deleted sooner than the retention period and we will attend to your request accordingly.
9. Employees
When do we collect information about you?
We process and use your information and/or personal data when you are employed by Octopus Investments under permanent and temporary basis who work under a contract of service and all agency staff, casual workers, contractors and consultants who work under a contract for service.
Personal data we collect and the legal bases to process:
- Name, date of birth, home address, email address, telephone number;
- LinkedIn profile (your profile link)
- Work experience;
- Academic and professional qualifications/membership;
- School, college and/or university;
- Salary expectation;
- Start date and leaving date;
- Evidence of your right to work in the UK and/or immigration status;
- Passport;
- Driving Licence;
- HMRC Details
- P45 form
- Employee’s photo holding his/her passport;
- National Insurance number
- Health and disability information (if provided or known during your employment);
- Record of any accident and/or injury at work or during working hours (including while working from home);
- Marital Status;
- Gender;
- Next of kin and dependants;
- Emergency contact details;
- Home address outside of UK (if working abroad);
- Racial and ethnic origin (optional);
- Religious belief (optional);
- Sexual orientation (optional);
- Bank details;
- CCTV or video images;
- Headshot photo (security access card);
- Images on Microsoft account;
- Images at our events;
- Benefits;
- Performance and appraisals information;
- Complaints, feedback, internal investigation, disciplinary actions and grievances;
- Termination notice;
- Social media profile (if shared by the employee);
- Any other information you provide to us in relation to your employment and working arrangements.
The legal bases to process employee’s information and/or personal data are:
- Performance of a contract – To enable us to carry out our day-to-day activities such as payroll, benefits and provide the agreed working arrangements to employees.
- Legitimate interest – To administer and planning for our workforce.
- Consent – In circumstances where you opt to participate in activities, events or providing optional information and special category of personal data to us.
- As an employer, we also need to comply with some of the laws and regulations which include (non-exhaustive list):
- Equality Act 2010 (for general well-being, unlawful harassment and misconduct);
- The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (for accident records);
- Income Tax (Employment) (Amendment No. 6) Regulations 1996 (for NI returns, income tax and HMRC correspondence);
- Maternity & Parental Leave Regulations 1999 (for maternity & paternity records, certification and pay calculations);
- Health & Safety at Work Act 1974 (to manage employee’s health and safety at work as well as for those working from home).
Please note that due to the nature of our services and products and to comply with relevant laws and regulations (e.g., Money Laundering Regulations (MLR) 2003, Proceeds of Crime Act (POCA) 2002, Serious Organised Crime and Police Act (SOCPA) 2005, and other applicable laws), employee’s emails and communications are being routinely monitored to ensure we adhere to our regulatory obligations and code of conduct to prevent the misuse of sensitive information of our employees, investors and customers with unauthorised parties. We rely on the legal obligation imposed on us as one of the lawful bases to carry out this activity.
- Processing under Article 9(2)(b) – We are allowed to process your sensitive and special category of personal data under Article 9(2)(b) when we receive sensitive information such as health data and information on criminal offence/record.
Why do we need personal data?
We need to process your personal data for the general administration on the contract we have entered with you and for business operations in Octopus Investments. We also have a legal obligation to process your sensitive personal data to comply with the laws and regulations (e.g., for occupational health, accidents or injuries at work, for statutory maternity pay, etc.).
We will only use your personal data for the purpose of why we collected it in the first place and in relation to your employment. For other purposes that are not being stated above, we will ensure that it is only being carried out compatible with the main purpose.
How long do we keep your data for?
Employee’s record will be retained for 6 (six) years after the end of employment.
10. Job applicant
When do we collect information about you?
We process your personal data either through the employment agencies, on our website career section or through LinkedIn. Your information will be processed by our Recruitment team who will then send it across to the relevant business unit for the job role you are applying for.
Personal data we collect and the legal bases to process:
- Name, date of birth, home address, email address, telephone number;
- LinkedIn profile (your profile link)
- Work experience;
- Academic and professional qualifications/membership;
- School, college and/or university;
- Current salary & salary expectation;
- Notification period;
- Health and disability information;
- Marital Status;
- Gender;
- Disability or health conditions that you share with us;
- Race and religion (optional)
- Sexual orientation (optional)
- Any other information you provide to us in relation to your application whether in your CV or directly with us
The legal bases that we rely on are:
- Consent – When you choose to progress with your interest either on LinkedIn; our career section; or with the employment agency;
- Legitimate Interest – Your application will help us to assess your skills and experience relevant to the role you are applying for, and the process may help us to develop and improve our recruitment process. Additionally, it is important for us to verify the information in your application and we use a background check service provider to do the necessary to confirm your details and previous working experience.
- Legal Obligations – Some information you provide may impose a legal obligation on Octopus Investments and require us under the Equality Act 2010 to protect your wellbeing at the workplace.
- Performance of a Contract – In the event your application is successful, Octopus Investments will use your personal data to do the necessary to prepare your employment contract
- Processing under Article 9(2)(b) – We are allowed to process your sensitive and special category of personal data under Article 9(2)(b) when we receive sensitive information such as race, religion, sexual orientation and/or health
Why do we need your personal data?
We would not be able to consider your application without your information and/or personal data as we need to assess your suitability for the role. Additional information provided will be used to prepare the necessary working arrangements when you have been selected.
How long do we keep your data for?
Your data may be retained for up to one (1) year in case there are queries or where your application is re-considered for the same role or other role(s).
11. Investor and customer
When do we collect information about you?
Octopus Investments requires your personal data when you submit your interest to invest and/or enquire about our products. Your personal data will also be used when we create your profile for your investment and product and for an online account on our website.
Personal data we collect and the legal bases to process
- Name, date of birth, home and/or office address, email address, telephone number;
- Employment details;
- Gender;
- Income/Financial/Tax Details;
- NI number;
- Nationality and country of citizenship;
- Investment data and valuations;
- Login details (for online account);
- Health or disability information (if provided);
- Nationality and country of citizenship;
- Communication records (for security and monitoring purposes)
It is within our legitimate interests to process your personal data for us to fulfil your investment into one of our products, and for the general administration of your investment and profile.
We rely on your consent when you choose to receive the marketing communications from Octopus.
We also have a legal obligation to comply with the laws and regulations concerning your investment, fund and/or product, for example for fraud reporting obligations or anti-money laundering.
Why do we need personal data?
To manage your investment with us.
To send the company’s news, updates and/or products following your consent for marketing communications.
Relevant to our lending products only and through your application process, we may share your personal information with credit reference agencies (CRAs) and fraud prevention agencies (FPAs) to (among all other necessary checks to be carried out prior to providing services to you) verify your identity, assess creditworthiness, provide your financial history, manage your account, and help us prevent fraud and money laundering.
We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. The CRAs may also share your information with other organisations in accordance with their rightful legal basis to do so. More details on the CRAs and the ways in which they use and share personal information, are explained in more detail at CRAIN.
Further details of how you information will be used by our FPAs, and your data protection rights can be found here https://www.cifas.org.uk/fpn.
How long do we keep your data for?
Your personal data will be retained for 5 (five) years after the account has been closed.
12. Third-party supplier
When do we collect information about you?
We collect personal data of the account manager or contact person of the third-party supplier when we request for the company’s goods or services; or when we agree to sign the contract with the supplier
Personal data we collect and the legal bases to process
- Name, email address, telephone number
- Job title
- Bank account details (particularly for individual supplier/consultant)
The lawful bases to process your personal data are:
- Performance of a contract for the goods and/or services;
- Legal obligation: To comply with the Bribery Act 2010, Modern Slavery Act 2015 and other applicable laws
- Legitimate interest: To manage business contacts and the general administration of our third-party suppliers
Why do we need personal data?
We do not use your personal data for other purposes than to manage the third-party supplier contract with us.
How long do we keep your data for?
Personal data in relation to managing the goods and services will be retained in our record until they are being replaced with a new business contact from your organisation. The same retention period applies to individual consultants.
13. Disclosure of your information (including outside of the European Economic Area “EEA”)
We may share your personal information within the Octopus Group.
When we share your information with third parties, they will process your information and/or personal data as either as a data controller or as our data processor and this will depend on the purposes of our sharing your information and/or personal data with such third party. We will only share your information and/or personal data in compliance with the applicable data protection laws and regulatory requirements.
We may disclose your information:
- With previous employers or through the employment agency when you submit your job application;
- When other products and services within the Octopus Group may interest you provided we have your consent;
- Including buyers or sellers or any of our business or assets;
- If we are under a duty to disclose or share your personal data with any of the government bodies or agencies, the law enforcements, to comply with any judicial or legal obligations or regulatory requirements or to protect the rights, property or safety of: (i) the Octopus Group websites, (ii) our customers, (iii) exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and/or
- To third-party suppliers who will process our data on our behalf and their authorised employee(s) and/or team(s) who needs to access your personal data.
Transfers may be made outside the EEA where we are satisfied that appropriate safeguards are in place.
We may share some broader statistics and customer profiling information with third parties and within the Octopus Group, but the information or data will be anonymised, so you will not be identifiable from that data. We do not rent or sell your personal data and/or information details to any other organisation or individual.
14. Storage of your personal data (including outside of the “EEA”)
Our main storage and back-up database is located within the U.K. However, the information and/or personal data that we collect, and process may be transferred to, and stored at, a destination outside of the UK, via a third-party system particularly when we use a cloud-based platform. We ensure that appropriate safeguards are implemented and your information and/or personal data will be protected in the same way that they are managed and stored in the UK.
In the event that we transfer information to countries outside of the EEA, we will only do so where:
- the European Commission has decided that the country or the organisation, entity or individual to whom we are transferring to or sharing your personal data and/or information with, will protect your information and/or personal data adequately;
- the transfer has been authorised by the relevant data protection authority; and/or
we have entered into a contract with the organisation, entity or individual with whom we are sharing your personal data and/or information (on such terms as approved by the European Commission), to ensure your information is adequately protected.
15. Security
We take all steps reasonably necessary to ensure that your information and/or personal data is treated securely and in accordance with this Privacy Notice.
We implement strict procedures and security features to protect your information and/or personal data to prevent unauthorised access. Unfortunately, the transmission of information via the internet sometimes may not be completely secured from any malicious online attack, however, we will do our best to protect your information and/or personal data while we retain it for our purpose.
16. Your rights
We want to make sure you are aware of your rights in relation to the information and/or personal data that we process about you. We have described those rights and the circumstances in which they apply, in the table below and you can contact us at [email protected] to exercise your rights:
Rights | Description |
Access | You have the right to access and/or obtain your information and/or personal data that we hold about you. |
Rectification | If you believe that any of the information and/or personal data that we hold about you is inaccurate, you have the right to inform us and rectify it. |
Erasure | You may request that we delete your information and/or personal data, if you believe that: • we no longer need to process your information and/or data for the purposes for which it was provided; • we have requested your permission to process your information and/or data and you wish to withdraw your consent; or • we are not using your information and/or data in a lawful manner. |
Restriction | This right can be exercised under any of these circumstances: • when you believe that the information and/or personal data that we hold about you is inaccurate and thereafter, we will need time to verify the accuracy; • we have processed your information and/or personal data unlawfully however, you would prefer to restrict the processing instead of erasure; • we have requested your permission to process your information and/or data and you wish to withdraw your consent; or • we are not using your information and/or data in a lawful manner. |
Portability | You have a right to receive the information and/or personal data you provided to us in a portable format. This is an extension to your right of access. Please note that this right is only applicable to electronic processing of your personal data and when the information and/or personal data is collected directly from the individual requesting to exercise this right. We will attend to your request only in the event that the information and/or personal data is being processed based on your consent or contractual necessity. You may also request us to provide it directly to a third party, if technically feasible. |
Marketing | You have a right to object at any time to processing of your information and/or personal data for direct marketing purposes, including profiling you for the purposes of direct marketing. We do not carry out processing that involves automated decision making that may affect the rights or produces legal effect on our employees, investors and/or customers. |
17. Complaints
If you wish to raise a complaint on how we have handled your information or to exercise your rights under section 15 above, you can contact our Data Protection Team who will investigate the matter via e-mail at [email protected] or write to us at Data Protection 33 Holborn, London, EC1N 2HT or call us on +44 800 316 2295.
We hope that we can address any concerns you may have, but you can always contact the Information Commissioner’s Office (ICO) to further inquire or to lodge your complaint by visiting their page at https://ico.org.uk/global/contact-us/