Privacy policy

This privacy policy sets out how Nutmeg Saving & Investment Limited, trading as Nutmeg, uses and protects any information that you provide to Nutmeg.

Nutmeg is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy policy.

Nutmeg may change this policy from time to time by updating this page. We will inform you of any material changes we make to this policy to ensure you are satisfied with our approach to managing your personal data.

What we collect

In order to create an account with Nutmeg we need to collect some personal information, as well as other information.

Information given to us:

  • Name and address
  • Date of birth, nationality and national identifier
  • Payment information - Bank account information & debit card
  • Risk questionnaire answers
  • Investment experience and source of wealth
  • Gender
  • Health information

Why we need to collect this information

Nutmeg are required under the General Data Protection Regulation - Regulation EU 2016/679 ("GDPR") to explain the lawful basis of processing of your information.

We collect this information primarily to satisfy legal requirements and to enable us to provide the services required under your contract with us.

Where explicit consent is required we will seek this from you, for example with respect to marketing preferences. However, in most cases explicit consent is not required, and implicit consent is inferred to perform our responsibilities under the contract.

Where explicit consent is required and not provided it may result in non-benefit of service, or the inability to open an account with Nutmeg.

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reason

  • Performance of the contract
  • Verify your identity
  • To ensure the product and service is suitable
  • Internal record keeping and record retention for legal requirements
  • We may use the information to improve our products and services, by analysis of customer data.
  • We will only use your information for the purpose it was collected.
  • Where explicit consent is given we will also use this information for marketing purposes
  • Correspondence regarding your account via email, telephone and secure Nutmail
  • Notify you of any changes to our service
  • Tracking of your activity on our website and the use of google tag ID to determine how you got to our website

Lawful basis for processing

The types of lawful basis we rely upon are:

  • Legal, for example verifying your identity or complying with regulatory obligations.
  • Contract and legitimate interest, for example your email address and telephone number to contact you.
  • Consent, for example implicit consent would be the collection of your payment information for an optional service and explicit consent for marketing or health information (special category data).
  • Vital interest, for example if the account holder passes away, we’re required to liaise and allow access to the next of kin.

Controlling your personal information

Nutmeg rely on explicit consent for the following reasons:


  • Nutmeg will only market to you provided you have given us your explicit consent. This can be managed through our preference centre, you can withdraw this consent at any time. If you have any questions please contact


  • In order for Nutmeg to provide you with a Personal Pension, we’re required to gather some health information, this is a special category under GDPR and therefore requires explicit consent.

Your rights

The right to be informed - Nutmeg needs to inform their customers what data they hold on them, and how we process it. This is detailed in this Privacy Policy.

The right of access and data portability - Our customers have the right to access the data that Nutmeg holds on them and request portable version.

The right to rectification - Our customers have the right to have inaccurate personal data rectified, or completed if it is incomplete.

The right to erasure (aka the right to be forgotten) – Our customers have the right to request the erasure of their data held. The ability for Nutmeg to complete such a request is dependant on other obligations to regulators regarding record retention.

The right to object or restrict processing – Our customers have the right to request restriction or suppression of the processing of their personal data. This is not an absolute right and only applies in certain circumstances.

Rights in relation to automated decision making and profiling - Our customers have the right to object to Nutmeg profiling, including profiling for marketing purposes.

Our customers can exercise any of these rights, for example request a Subject Access Request by emailing us at

Please note, this does not affect any information required to be stored under record retention laws, more information on our record retention policy is set out below.

Data Retention

Nutmeg is required to retain certain data records to comply with the Financial Conduct Authority’s (FCA) general recording keeping requirements. To comply with these requirements, Nutmeg’s policy is to retain this data for 7 years, providedthere is no obligation to retain for an additional period. Our Third Parties may also have their own retention periods such as our debit card payment provider.Please refer to their individual privacy policies for more information about their record retention policies.

Any requests of erasure during the retention period will not apply to these data records, and such records may only be deleted once the retention period has expired.

Who we share this information with

For the purposes of the contract we are required to share your information with third parties, the situations in which we share this information are detailed below.

  • Regulatory bodies or the police to comply with our legal obligations.
  • Fraud prevention agencies, and other organisations in order to detect and prevent financial and other crime.
  • Data, service and software providers to help improve, develop and maintain our products and website (which may include, for example customer data modelling or statistical and trend analysis).
  • Suppliers where necessary for the performance of the contract, including sub-contractors

We will endeavour to anonymise your data and/or minimise the amount of your data we share with these third parties, where possible.

We will not sell or lease your personal information to third parties unless we have your permission or are required by law to do so.

With your explicit, prior consent, we may use your personal information to send you promotional information about third parties which we think you may find interesting.

Data Controller vs Data Processor

Under the GDPR, a Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data.

The Data Processor is the entity that processes data on behalf of the Data Controller.

Nutmeg is the Data Controller of your personal information and it uses a number of third parties to provide the service under the contract and to improve our product and services. Customers’ personal data is shared where appropriate with third parties that are Data Processors or Data Controllers in their own right and, in both scenarios, appropriate legal measures are in place to safeguard the processing of your personal data.


We are committed to ensuring that your data is retained securely by us. In order to prevent unauthorised access to or disclosure of your data, we have put in place physical, electronic and managerial procedures to safeguard and secure the information we collect.

Nutmeg has robust fraud screening processes to mitigate and detect fraud.

Nutmeg’s mobile apps are protected by a passcode. Nutmeg’s iOS app is compatible with Apple Touch ID.

Should Nutmeg transfer your data outside the EEA we will have appropriate additional measures in place to protect the data, and we will only transfer to countries and companies with adequate levels of protection.

Using the internet comes with risks, we cannot guarantee that any information sent to us by email or via our website will not be intercepted or tampered with. Any communications are sent at your own risk.


There are many steps which you can take to help us keep your account safe and secure. We recommend that you take the following actions:

Password and Passcode
Do not give your device security details, including any passwords or passcodes, to anyone else and don't store them on your device. Get in touch with us as soon as possible if you feel someone may know your login details or if you lose your device. We can then stop the service to your device.

For added security, we recommend you should set up a passcode to access your mobile device. This option can usually be found under the Settings menu on your device and set up multi-factor authentication via your Nutmeg dashboard

Multi-factor authentication requires something you are, or something you have in addition to the password when you authenticate a log in to Nutmeg.

Use private browsing
Access Nutmeg using the best security offered by your browser to maintain the security of your account, this for example would be "incognito" for Google Chrome and "private browser" for Safari.

Your handset
Do not leave your device unattended when logged on and watch out for people looking over your shoulder. Think carefully before jail-breaking or rooting your device. We advise against doing this as it may weaken the security of your device and expose you to additional risks.

If possible, keep your mobile device’s operating system updated with the latest security patches and upgrades. Older software may have security vulnerabilities that could expose you to additional risks. You may also want to consider using a reputable brand of anti-virus software on your mobile banking device.

When Nutmeg contacts you
We will never contact you to ask you to disclose your security credentials. Be cautious about opening links contained in SMS messages or emails and beware of phishing scams.

Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers.

If you use Nutmeg’s mobile app, we recommend that you take these additional measures:

Passcode, TouchID and FaceID
Your Nutmeg app is protected by a passcode. We recommend that if you use Nutmeg’s apps, you use enable TouchID or FaceID for biometric entry.

App store
Only download mobile apps from official app stores.

When accessing your Nutmeg account please be vigilant about who might be able to view your screen.


What are cookies?
A cookie is a small text file that’s placed on your computer or mobile device when you visit our website or mobile app. Cookies are used for various reasons, such as tracking the performance of our website, they can help to remember your username and preferences, and also collect general information such as how users arrive at and use our website.

We also use other tracking technologies like web pixels (sometimes called “tracking pixels”). These are tiny graphics files that contain a unique identifier that enable us to recognise when someone has visited our website or opened an email that we have sent them.

The types of cookies and tracking technologies we use help us operate our website, mobile app and services, enhance and customise your experience across our website and services, perform analytics and deliver advertising and marketing that’s relevant to you.

What cookies do we use?

  1. Essential Cookies

    Some of the of cookies and tracking technologies we use help us to provide and maintain our website, mobile app and services, so that you can sign in and navigate our website effectively

  2. Performance Cookies

    The types of cookies and tracking technologies we use help us to enhance and customise your experience across our website and services and perform analytics, like gathering data about the number of visits to our website and the time users spend on our site

    We also use other tracking technologies like web pixels (sometimes called “tracking pixels”). These are tiny graphics files that contain a unique identifier that enable us to recognise when someone has visited our website or opened an email that we have sent them.

  3. Functionality Cookies

    These cookies are used to remember your preferences, such as remembering your username and password in order to access your account.

  4. Behaviourally Targeted Advertising Cookies

    We use these cookies to deliver advertising and marketing that’s relevant to you based on your browser history, which may be displayed on Nutmeg’s website and other websites. We also use these cookies to analyse how effective some of our advertising campaigns are by tracking users’ clicks. We can also use them to limit the number of times you see an ad. To prevent this kind of advertising you can adjust your browser cookie settings. Guidance on how to do this is shown below

The cookies mentioned above may be persistent cookies (cookies that remain on your hard drive and your browser for an extended period of time) or session ID cookies (cookies that expire when you close your browser).

What Third Party cookies are on our website?

There are also cookies set by third parties across our websites and services. Third party cookies enable third party features or functionality to be provided on or through our website, mobile app and services, such as advertising, interactive content and analytics. They also enable us to manage Nutmeg advertising on other websites.

Some of our affiliates and third-party service providers, may use a few different types of cookies, this may include persistent and session cookies as described above.

How can you control cookies?
Nutmeg use both essential and tracking cookies on our website and mobile app, which are mainly persistent cookies unless labelled as session only. You can accept or reject cookies by amending your web browser controls. Because some are essential our website, mobile app and services might not work like they’re supposed to, and in some cases, might not work at all, if you decide to reject all cookies.

There are two options when disabling cookies:

  • You can turn off Third-Party website cookies via your browser settings; or
  • You can turn off all cookies on, this means you will no longer be able to use our service, but you can still visit our website

You can also manage your cookie settings by following your browser's instructions. Here are some links that might be of assistance:

Google Chrome

Microsoft Internet Explorer

Mozilla Firefox


Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and review the privacy statement applicable to the relevant website.