Privacy policy


This privacy policy sets out how Nutmeg Saving & Investment Limited, trading as Nutmeg, uses and protects any information that you give Nutmeg.

Nutmeg is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy policy.

Nutmeg may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes.


What we collect

In order to create an account with Nutmeg we need to collect some personal information, as well as other information.

Information given to us:

  • Name and address
  • Date of birth, nationality and national identifier
  • Payment information - Bank account information & debit card
  • Risk questionnaire answers
  • Investment experience and source of wealth
  • Gender
  • Health information

Why we need to collect this information

Nutmeg are required under General Data Protection Regulation 2016/679 to explain the lawful basis of processing of your information.

We collect this information primarily to satisfy legal requirements and to enable us to provide the services required under your contract with us.

Where explicit consent is required we will seek this from you, for example Marketing preferences. However, in the vast majority of cases explicit consent is not required, and implicit consent is inferred to perform our responsibilities under the contract.

Where explicit consent is required and not provided it may result in non-benefit of service, or the inability to open an account with Nutmeg.


What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reason

  • Performance of the contract
  • Verify your identity
  • To ensure the product and service is suitable
  • Internal record keeping and record retention for legal requirements
  • We may use the information to improve our products and services, by internal analysis of company data.
  • We will only use your information for the purpose it was collected.
  • Where explicit consent is given we will also use this information for marketing purposes
  • Correspondence regarding your account via email, telephone and secure nutmail
  • Notify you of any changes to our service
  • Tracking of your activity on our website and the use of google tag ID to determine how you got to our website

Lawful basis for processing

The types of lawful basis we rely upon are:

  • Legal, for example verifying your identity or complying with regulatory obligations, such as MiFID II.
  • Contract and legitimate interest, for example your email address and telephone number to contact you.
  • Consent, for example implicit consent would be the collection of your payment information for an optional service and explicit consent for marketing or health information (special category data).
  • Vital interest, for example if the account holder passes away, we’re required to liaise and allow access to the next of kin.

Controlling your personal information

Nutmeg rely on explicit consent for the following reasons:

Marketing

  • Nutmeg will only market to you provided you have given us your explicit consent. This can be managed through our preference centre, you can withdraw this consent at any time. If you have any questions please contact dataprotection@nutmeg.com.

Pension

  • In order for Nutmeg to provide you with a Personal Pension, we’re required to gather some health information, this is a special category under GDPR and therefore requires explicit consent.

Your rights

Subject Access Requests

You’re entitled under the GDPR principle ‘right of access’ to request the personal data that Nutmeg holds on you. You can request a copy of this information by emailing dataprotection@nutmeg.com.

If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

The Right to Erasure

You’re entitled under the GDPR principle ‘right to erasure’ to request the deletion of personal data that Nutmeg and their suppliers hold on you. You can request this by emailing dataprotection@nutmeg.com.

Please note, this does not affect any information required to be stored under record retention laws, more information on our record retention policy is set out below.


Data Retention

In line with the Financial Conduct Authority’s (FCA) COBS 10A.7 Nutmeg are required to retain certain data, Nutmeg are determined to retain this data for 7 years where there is no further obligation to retain. Our Third Parties may also have their own retention periods such as our debit card payment provider, please refer to their individual privacy policies for more information.

Any requests of erasure during the retention period will not affect this data, and it will be deleted once the retention period has expired.


Who we share this information with

For the purposes of the contract we are required to share your information with third parties, the situations in which we share this information are detailed below.

  • Regulatory bodies or the police to comply with our legal obligations.
  • Fraud prevention agencies, and other organisations in order to detect and prevent financial and other crime.
  • Data, service and software providers to help improve and maintain our website
  • Suppliers where necessary for the performance of the contract, including sub-contractors

We will endeavour to anonymise your data when sharing with these third parties, where possible.

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting only with your required explicit consent.


Data Controller vs Data Processor

A Data Controller is under GDPR the entity that determines the purposes, conditions and means of the processing of personal data.

The Data Processor is the entity that processes data on behalf of the Data Controller.

Nutmeg are the data controller for your personal information, however, we are joint controllers with Embark Services Ltd (ESL) in respect to Nutmeg Personal Pensions. All other Third Parties act as data processors in respect of your personal information held by Nutmeg.


Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place physical, electronic and managerial procedures to safeguard and secure the information we collect.

Nutmeg has robust fraud screening processes to mitigate and detect fraud.

Nutmeg’s mobile apps are protected by a passcode. Nutmeg’s iOS app is compatible with Apple Touch ID.

Should Nutmeg transfer your data outside the EEA we will have appropriate additional measures in place to protect the data, and we will only transfer to countries and companies with adequate levels of protection.

Using the internet comes with risks, we cannot guarantee that any information sent to us by email or via our website will not be intercepted or tampered with; any communications are sent at your own risk.


Recommendations

There is also a lot that you can do to help us keep your account safe. We recommend that you take the following actions:

Password and Passcode
Do not give your device security details, including any passwords or passcodes, to anyone else and don't store them on your device. Get in touch with us as soon as possible if you feel someone may know your login details or if you lose your device. We can then stop the service to your device.

For added security, we recommend you should set up a passcode to access your mobile device. This option can usually be found under the Settings menu on your device and set up multi-factor authentication via your Nutmeg dashboard

Multi-factor authentication requires something you are, or something you have in addition to the password when you authenticate a log in to Nutmeg.

Use private browsing
Access Nutmeg using the best security offered by your browser to maintain the security of your account, this for example would be incognito for Google Chrome and Private browser for Safari.

Your handset
Do not leave your device unattended when logged on and watch out for people looking over your shoulder. Think carefully before jail-breaking or rooting your device. We advise against doing this as it may weaken the security of your device and expose you to additional risks.

If possible, keep your mobile device’s operating system updated with the latest security patches and upgrades. Older software may have security vulnerabilities that could expose you to additional risks. You may also want to consider using a reputable brand of anti-virus software on your mobile banking device.

When Nutmeg contacts you
We will never contact you to ask you to disclose your security credentials. Be cautious about opening links contained in SMS messages or emails and beware of phishing scams.

Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers.

If you use Nutmeg’s mobile app, we recommend that you take these additional measures:

Passcode, TouchID and FaceID
Your Nutmeg app is protected by a passcode. We recommend that if you use Nutmeg’s apps, you use enable TouchID or FaceID for biometric entry.

App store
Only download mobile apps from official app stores.

When accessing your Nutmeg account please be vigilant about who might be able to view your screen.


How we use cookies

A cookie is a small text file that’s placed on your computer or mobile device when you visit our website or mobile app. We, and some of our affiliates and third-party service providers, may use a few different types of cookies. Some are persistent cookies (cookies that remain on your hard drive and your browser for an extended period of time) and some are session ID cookies (cookies that expire when you close your browser).

We also use other tracking technologies like web pixels (sometimes called “tracking pixels”). These are tiny graphics files that contain a unique identifier that enable us to recognise when someone has visited our website or opened an email that we have sent them.

The types of cookies and tracking technologies we use help us operate our website, mobile app and services, enhance and customise your experience across our website and services, perform analytics and deliver advertising and marketing that’s relevant to you.

There are also cookies set by third parties across our websites and services. Third party cookies enable third party features or functionality to be provided on or through our website, mobile app and services, such as advertising, interactive content and analytics. They also enable us to manage Nutmeg advertising on other websites.


How can you control cookies?
Nutmeg use both essential and tracking cookies on our website and mobile app, which are mainly persistent cookies unless labelled as session only. You can accept or reject cookies by amending your web browser controls. Because some are essential our website, mobile app and services might not work like they’re supposed to, and in some cases, might not work at all, if you decide to reject all cookies.

There are two options when disabling cookies:

  • You can turn off Third-Party website cookies via your browser settings; or
  • You can turn off all cookies on nutmeg.com, this means you will no longer be able to use our service, but you can still visit our website

You can also manage your cookie settings by following your browser's instructions. Here are some links that might be of assistance:

Google Chrome
https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en

Microsoft Internet Explorer
https://support.microsoft.com/en-nz/help/17442/windows-internet-explorer-delete-manage-cookies

Mozilla Firefox
https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Safari
https://support.apple.com/en-nz/guide/safari/manage-cookies-and-website-data-sfri11471/mac


What cookies Nutmeg use

Below is a list of cookies that we use on our website, mobile app and services. The types of cookies we use are always changing. Check back regularly to make sure you stay up to date. If you think we’ve missed a cookie, please let us know.


Cloudflare (.cloudflare.com)
Used for identifying individual users behind a shared IP to apply security settings on a per user basis.


Doubleclick (.doubleclick.net)
Used by DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficency of an ad and to present targeted ads to the user.


Facebook (.facebook.com)
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.


Google (.google.co.uk / .com)
Google cookie for user tracking, analytics and advert personalisation

Used by Google Maps to remember consent

Used by Google Maps to remember consent


LinkedIn (.ads.linkedin.com)
LinkedIn Ad analytics


LinkedIn (.linkedin.com)
Linkedin third party google analytics cookie

These cookies allow LinkedIn to enable sign-in functionality, track user behaviour and gather advertising analytics.

Used for routing


Nutmeg (.nutmeg.com)
This gives us insight into the visitors arriving on our website, in order for us improve our digital marketing.

Share this service and monitors clicks and time spent on pages

Used by Google Analytics to track user activity over different browsing sessions.

Used by Google Analytics to throttle request rate

Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

Used to track user behaviour on our website to better understand how users are using the website.

Universal event tracking

We use IBM Silverpop for tracking and email

Used for insight into the use of Nutmegonomics

Used by Optimizely to store page variants assigned to user for A/B performance testing to ensure user gets a consistent experience.

Used by Optimizely for A/B performance testing; it is a unique user identifier

Records user activity on the website for performance purposes

Identifying audience segmentation

We use SnapEngage for providing an online chat facility

For the embedded videos hosted on our website

Wistia Data collection - track user behaviour in videos

Nutmeg capturing user consent to cookies

Heap Analytics user tracking

Session cookie set by Nutmeg

Nutmeg uses this to reference Optimizely Cookie manager

Session cookie set by Nutmeg

Your email address entered during signup

Your unique identifier assigned to you during setup


Optimizely (.optimizely.com)
Used by Google Analytics to track user activity over different browsing sessions.

User browser detction

Used to record amount of people that visited our website and have been previous visitors


Quantserve (.quantserve.com)
Used to track anonymously how users use a web site

Statistics and identification of website user demographic


Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.