Mainspring Fund Services Limited and Mainspring Nominees Limited (also referred to as “us”, “we” or “our”)
Registered Office: 44 Southampton Buildings, London, WC2A 1AP.
Registered: in England and Wales
Registration Number: 07222372 & 08255713
Data Protection Policy
Personal information may only be disclosed in accordance with the provisions of the Data Protection Act 1998 (“DPA”) and General Data Protection Regulation (EU) 2016/679 (“GDPR”), and/or any other law or regulation implementing, supplementing and/or replacing either the DPA or the GDPR. As used in this policy, the term “Applicable Laws and Regulations” shall include, together, the DPA and the GDPR, each of them, as from time to time applicable, amended, restated or supplemented.
The Applicable Laws and Regulations serve to regulate the protection of personal information stored in computerised filing systems, databases, and structured paper systems. The Information Commissioner’s Office is responsible for regulating compliance with the Applicable Laws and Regulations.
For the purposes of the Applicable Laws and Regulations, in some instances we may be classified as data controller and processor, and in others we may only be classified as data processor. This policy aims to give you information on how we collect and process the personal data of data subjects (as defined under GDPR) (“you”, “your”) either through your use of this website or otherwise.
The first section of this Data Protection Policy sets out terms specifically applicable to users of our website, whereas the rest of this Data Protection Policy applies to users of our website and anyone else who may provide us with personal data as a result of a contractual relationship or otherwise.
1. TERMS SPECIFICALLY APPLICABLE TO OUR WEBSITE VISITORS
1.1 Host location
This website is hosted in the United Kingdom.
We collect some information on our website through the use of ‘cookies’. To find out how we use them, see our cookie notice here: https://www.mainspringfs.com/cookie-policy/.
1.3 Information we collect about you
With regard to each of your visits to our website we may automatically collect the following information:
a) technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
b) information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time); services you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
1.4 Links to third party websites
Our website may, from time to time, contain links to and from the websites of our clients, third party suppliers and industry organisations. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.
Please check these policies before you submit any personal data to these websites.
1.5 Uses of personal information from website visitors
In addition to Section 2 below we may process personal information that you give to us:
a) to ensure the security of our website and services, maintaining back-ups of our databases and communicating with Data Subjects and record-keeping;
b) for the purposes of supplying goods and/or services that we may from time to time advertise and sell through our website, and keeping proper records of those transactions;
c) to analyse the use of the website and services;
d) to ensure that content from our website is presented in the most effective manner for you and for your computer;
e) to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
f) to improve our website to ensure that content is presented in the most effective manner for you and for your computer;
g) to allow you to participate in interactive features of our service, when you choose to do so;
h) as part of our efforts to keep our website safe and/or secure;
i) to make suggestions and recommendations to you and other users of our website about services that may be of interest;
j) to collect broad demographic information for aggregate use; and
The legal basis for this processing is our legitimate interests and business and, where applicable, the proper performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and the proper administration of our website and business.
2. USES MADE AND PROCESSING OF THE INFORMATION
Where we are acting as data controller and/or processor, we may use information held about you (information that you give to us, information we collect about you and information we receive from other sources) in the following ways:
2.1 Information you give to us
We may process information that you give to us:
a) to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
b) to notify you about changes to our service; and
c) for the purposes of offering, marketing and selling relevant products and/or services to you.
Information you give us may comprise:
a) your name, address, telephone number, email address, gender, date of birth, relationship status, educational details and employment details, bank details, passport details, tax identifiers; and
b) information contained in or relating to any communication that you send to us, including any metadata associated with the communication, where applicable.
2.2 Information we receive from other sources
We may combine information that we receive about you from other sources with information you provide to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
2.3 Information of third parties
Other than where we have contractually agreed to receive personal data from a third party (e.g. from a fund manager acting as personal data controller) where we have been appointed as a third party processor, you will not supply to us, and we will not accept, any other person’s personal data other than your own personal data.
2.4 Processor only terms
Where Mainspring has been appointed to act solely as a third party processor, Mainspring:
(i) shall process personal data in accordance with the documented instructions of the relevant controller (unless otherwise required to do so by the Applicable Laws and Regulations and, in such case, where permitted under the Applicable Laws and Regulations, Mainspring shall inform the controller of the relevant details);
(ii) shall ensure that the persons authorised to process personal data have committed themselves to preserve the confidentiality of the personal data;
(iii) warrants that it has in place, and undertakes to maintain, appropriate technical and organisational measures to ensure an appropriate level of security, including against unauthorised or unlawful processing of such personal data and against accidental loss or destruction of or damage to such personal data as required under the Applicable Laws and Regulations;
(iv) shall only engage a sub-processor where: (i) the relevant controller has consented to that specific engagement in writing; (ii) there is a contract in place with that sub-processor that imposes data protection obligations on the sub-processor equivalent to those contained in paragraph 2.4 of this policy; and (iii) the sub-processor has committed to maintain the confidentiality of the personal data provided to it;
(v) warrants that it has in place procedures to promptly and effectively deal with any data subject access requests, transfer requests, queries or complaints made by data subjects in relation to Mainspring’s arrangements with the relevant controller (or the processing undertaken pursuant to it) and shall assist the relevant controller in addressing such requests, queries or complaints;
(vi) shall only retain personal data for as long is necessary for the purposes of the arrangements between Mainspring and the relevant controller or for other applicable legal, regulatory or reasonable business requirements. After such time, it will take reasonable steps securely to delete, destroy or return such personal data (to the extent that it is practicable to do so);
(vii) shall ensure that any appropriate records as required under the Applicable Laws and Regulations are maintained; and
(viii) shall provide the relevant controller and any applicable regulatory bodies, on reasonable notice, with the necessary access to facilitate an audit of its compliance with this paragraph 2.4.
3. WHERE WE STORE YOUR PERSONAL DATA
Whether we are acting as data controller and/or processor, the data that we have from you is hosted and stored in our servers and in certain third party applications contracted and required by Mainspring in the provision of its services.
Your data may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA, who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the provision of services to you and the provision of support services. By submitting your data, you agree to this transfer, storing or processing. We will take all reasonable steps necessary to ensure that your data is treated securely and in accordance with this Data Protection Policy and in compliance with the Applicable Laws and Regulations.
4. DISCLOSURE OF YOUR INFORMATION
Whether we are acting as data controller and/or processor, we may share information held about you in the following ways, unless, in cases where we act as personal data processor, a contractual agreement between us provides otherwise:
4.1 Group members
We may share your information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006 for the purposes set out in this policy.
4.2 Selected third parties
We may also share your information with selected third parties for the purposes set out in this policy. These selected third parties may include:
a) business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you, including payment service providers;
b) in respect solely of information collected in connection with our website, analytics and search engine providers that assist us in the improvement and optimisation of our website; and
c) insurers and/or professional advisers for the purposes of maintaining appropriate insurance levels, managing risks, obtaining legal advice and managing disputes.
We may disclose your information to third parties:
a) in the event that we sell or buy any business or assets, in which case, we may disclose your personal data to the prospective seller or buyer of such business or assets;
b) if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our users will be one of the transferred assets;
d) to protect the rights, property, or safety of us and our members or others. This includes exchanging information with other companies and organisations for the purposes of protecting and preventing against fraud and credit risk reduction.
RETENTION AND DELETION OF PERSONAL DATA
Where we are acting as data controller and/or processor, we will not retain and store any personal data for longer than it is necessary for the purposes of compliance with our legal obligations under the Applicable Laws and Regulations.
Unless we do not longer require your personal data or do not have a legitimate purpose to continue holding your data, we will retain your personal data for a minimum period of seven (7) years so that we are able to comply with the Financial Conduct Authority’s anti-money laundering regulations, or as any other longer period that may be imposed to us by any other law or regulation or, if appropriate, by the Applicable Law and Regulations (the “Data Retention Period”).
Upon elapsing of the Data Retention Period, all your personal data stored and retained by us will be deleted from its files and records.
6. YOUR RIGHTS
Under the Applicable Laws and Regulations, you have the following rights:
You have the right to be informed of your rights and how your personal data will be stored, treated, deleted and controlled, as all is set out in this policy.
6.2 Access to information
You have the right to access your personal data, so that you are aware of and can verify the lawfulness of the processing. The Applicable Laws and Regulations give you the right to access information held about you. Your right of access can be exercised in accordance therewith. Any access request is free of charge.
Please note that we reserve the right to charge a reasonable fee taking into account the administrative costs of providing the information and/or refuse to respond to any access request, should any such requests are manifestly unfounded or excessive, if in particular, these requests are repetitive.
If any such requests are denied, you would have the right to complain to the supervisory authority (the Information Commissioner’s Office).
You have the right to rectify any data that is incorrect and, taking into account the purposes of the processing, you have the right to request that any incomplete information is completed.
You can request that any data is erased:
a) where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
b) when you wish to withdraw consent;
c) when you object to the processing and there is no overriding legitimate interest for continuing the processing;
d) when your personal data has been unlawfully processed and in breach of Applicable Laws and Regulations;
e) when your personal data has to be erased in order to comply with a legal obligation; and
f) when your personal data is processed in relation to the offer of information society services to a child.
Processing of your personal data will be restricted in any of the following circumstances:
a) where there is a contest regarding the accuracy of your personal data, we will restrict any processing until the data has been verified;
b) where you object to the processing and we need to consider whether your organisation’s legitimate grounds override those of the individual;
c) when processing is unlawful and you oppose erasure and request restriction instead; and
d) if we no longer need your personal data but you require the data to establish, exercise or defend a legal claim.
6.6 Data Access Portability
You may also, free of charge, request to view, access and use your personal and transaction data in a way that is generally portable.
You may express an objection on grounds relating to your particular situation to:
a) processing based on legitimate interests or the performance of a task in the public interest/exercise of an official authority (including profiling);
b) direct marketing (including profiling); and
c) processing for purposes of scientific/historical research and statistics.
Whilst we accept responsibility for maintaining the personal information provided to us, we are not responsible for its accuracy over time or at the point of entry. If you identify any inaccuracy in your personal information, as a registered user you can make any necessary changes as required and as provided in this policy.
8. CHANGES TO OUR DATA PROTECTION POLICY
This Data Protection Policy will be updated from time to time, with the latest policy available on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our Data Protection Policy and to ensure that you are happy with any such changes.
We may contact you by email, post or via our online portal, to the addresses and details provided to us.
10. CONTACTING US
Our Chief Operating Officer is the first contact for information about the Data Protection registration held by us and any data protection enquiries from clients or investors. Details of our registration can be found on the Data Protection Register on the Information Commissioner’s Office website (www.ico.gov.uk) under its registration number Z2611445.
Questions, comments and requests regarding this Data Protection Policy are also welcomed. You can contact us:
a) by e-mail at the following e-mail address: firstname.lastname@example.org and should be addressed to the Chief Technical Officer;
b) by post, at our registered office address set out above; and
by telephone, using the contact number published on our website from time to time.
Where we are acting as data controller and processor, any Personal Data Breach (that is, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed) will, where legally necessary, be promptly reported to the Information Commissioner’s Office (ICO) and the relevant individual. We will, in any circumstance address any Personal Data Breach promptly, seeking to ensure that any risks are mitigated and that no further Personal Data Breaches occur.
Where we are acting as data processor only, any Personal Data Breach will, where necessary, be promptly reported to the data controller who has provided the personal data to us for processing, and we will follow any Personal Data Breach procedure that we may have agreed with the controller or any process or procedure required by any Applicable Laws and Regulations.
12. FILING OF COMPLAINTS
If you have any complaints or concerns about the contents of this policy or your personal data stored, processed and/or controlled by us, you can address these to Mainspring’s Chief Technical Officer (whose contact details are set out in paragraph 10.a) above) or with the supervisory authority, the Information Commissioner’s Office.