This Group Privacy Statement (the “Privacy Statement”) aims to give you information on how the Group, as defined below, may use, collect and/or process your personal data both in relation to your use of our websites and/or the products and services we provide.
Data privacy laws and regulations (the “DP Laws”) regulate the way in which we are required to deal with your personal data (i.e. information which directly or indirectly identifies you).
For the purposes of the DP Laws, each of Shore Capital Stockbrokers Limited (“SCS”), Shore Capital and Corporate Limited (“SCC”), Puma Investment Management Limited (“PIML”), Puma Private Equity Limited (“PPEL”), Puma Property Finance Limited and Shore Capital International Limited all with registered offices at Cassini House, 57 St James’s Street, London SW1A 1LD and Puma Property Investment Advisory Limited and Realty Investment Advisors Limited with registered offices at 1 Royal Plaza, Royal Avenue, St Peter Port Guernsey GY1 2HL (together, “the Group”, “we”, “us” or “our”) is considered to be a data controller. This means we are primarily responsible for making determinations about how and why we process your personal data.
The Group is committed to protecting the privacy and security of your personal data. This Privacy Statement provides information on how your personal data is processed by us in the course of our business.
2. What is Personal Data?
“Personal data” is data which, by itself or with other data available to us, can be used to identify you. As set out in the DP Laws, this means any data which relates to a living individual who can be identified from that data or from that data and other information, which is in the possession of, or is likely to come into the possession of, the Group (or its representatives or service providers). In addition to factual information, it includes any expression of opinion about an individual and any indication of the intentions of the Group or any other person in respect of an individual. It does not include data where the identity has been removed (anonymous data).
“Special Category Personal Data” means any personal data relating to your racial or ethnic origin; your political opinions; your religious (or similar) beliefs; your physical or mental health condition; details of criminal offences or criminal convictions (including the commission or alleged commission of any offence, any proceedings for any offence committed or alleged to have been committed and the disposal of such proceedings or the sentence of any court in such proceedings) and your genetic and biometric data.
3. Collection of personal data
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your identity, contact and financial data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
apply for or use our products or services (including as an investor, in application for an account to trade, information received about you as a director or substantial shareholder of an entity to which a Group entity has been, or it is proposed that we are, appointed as an adviser, financial adviser, broker, lender etc, and/or information which we have received from you in your professional capacity such as where we provide you with services subject to our entering into a services agreement or other similar arrangement;
subscribe to our service or publications;
request marketing to be sent to you;
enter a competition, promotion or survey; or
give us feedback or contact us.
Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
credit reference agencies
fraud prevention agencies
Technical data from the following parties:
advertising networks; and
search information providers;
Contact, financial and transaction data from providers of technical, payment and delivery services.
Identity and contact data from data brokers or aggregators; and
information we receive through the following websites, including subdomains (the “Websites”):
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.
4. Types of Personal Data Collected
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes billing address, delivery address, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website, products and services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. We may monitor and/or record your telephone calls and electronic transactions.
We will only collect and process your Special Category Personal Data with your explicit consent or where the processing is specifically authorised by a regulatory body or required by the DP Laws.
5. How we use your Personal Data
Your personal data may be stored and processed by us in the following ways and for the following purposes:
to assess your application as a prospective Investor, Client or Business Contact and where applicable the provision of services requested by you;
to provide you with services subject to there being a contract or other arrangement in place and to send to you details regarding other information which the Group may provide from time to time;
detecting and preventing financial crime including fraud and/or money laundering;
statistical analysis and assessment;
to communicate with you and in order to provide you with services or information about the Group and the services we provide;
in order to comply with and in order to assess compliance with applicable laws, rules and regulations, and internal policies and procedures; and/or
for the administration and maintenance of databases storing personal data.
6. The legal basis for processing your personal data
The DP Laws set out a number of different bases pursuant to which we may collect and process your Personal Data, including:
6.1 Where you have provided your consent
In specific situations, we can collect and process your data with your consent. For example, when you request us to disclose your personal data to other people or organisations when we process Special Category Personal Data about you at your request or where required as part of the product or service applicable to your relationship with us.
You are free at any time to change your mind and withdraw your consent in accordance with Section 10. The consequence might be that we are unable to provide certain products and services to you.
6.2 Contractual obligations
We will use your personal data to comply with various contractual obligations, including to manage and perform our obligations under a contract, to assist you and answer your requests, to update our records where your personal data changes and you notify us of such changes or to contact you about the service(s) we provide you as an Investor, Client or Business Contact.
6.3 Legal and regulatory obligations
We use your personal data to comply with various legal and regulatory obligations, including when you exercise your rights under the DP Laws and for compliance with legal and regulatory requirements and related disclosures such as verifying your identity, making credit checks and to perform ‘know-your-customer’ (“KYC”) checks. We are obliged to take all necessary steps in order to prevent and detect financial crime including money-laundering and financing of terrorism and in order to comply with legislation relating to sanctions and embargoes. We also record and may monitor phone calls and electronic communications made or sent to or by us in order to comply with our regulatory obligations.
6.4 Our legitimate interests
In specific situations, we may use your personal data to pursue our legitimate interests in a way which you might reasonably expect, and which does not materially impact your rights, freedom or interests. For example, we will use the information to understand your needs and interests, to communicate with you in order to provide you with information about the Group and for maintaining compliance with internal policies and procedures. As a Business Contact, we will also use your contact details to send you direct marketing information informing you about events and services that we think might interest you. If you wish to stop receiving marketing communications from us, please email [email protected]. In the context of this Privacy Notice, ‘legitimate interests’ means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
In addition to any recording of electronic communications that is either legally authorised or imposed or to which you have consented, we may record electronic communications with you for the purpose of ensuring the training and supervision of employees, improving the quality of the service and/or providing evidence of commercial transactions or communications that took place through these electronic communications including the content of these communications.
However, we use personal data we make sure that the usage complies with the DP Laws. Further, we shall ensure that your personal data is accessed only by employees of the Group that have a need to do so for the purposes described in this Privacy Statement.
7. Sharing your information with third parties
We may share your personal data with our affiliates within the Group. We may also share your personal data outside of the Group for the following purposes:
(i) with our business partners, such as Pershing Securities Limited. Personal data will only be transferred to a business partner who is contractually obliged to comply with appropriate data protection obligations and the relevant privacy and confidentiality legislation;
(ii) with third party agents and contractors for the purposes of providing services to us (for example, accountants, professional advisors and IT and communications providers). These third parties will be subject to appropriate data protection obligations and they will only use your personal data as described in this Privacy Statement;
(iii) with other third parties such as HM Revenue & Customs, regulators and other authorities, if and as required by law or regulation;
(iv) to the extent required by law, for example if we are under a duty to disclose your personal data in order to comply with any legal obligation (including, without limitation, in order to comply with tax reporting requirements and disclosures to regulators), or to establish, exercise or defend our legal rights;
(iv) if we sell our business or assets, in which case we may need to disclose your personal data to the prospective buyer for due diligence purposes; and
(v) if we are acquired by a third party, in which case the personal data held by us about you will be disclosed to the third party buyer in order that they may continue to provide you with the relevant product or service.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
8. International Transfers
In certain circumstances, we may transfer your data to another country.
Whenever we transfer your personal data out of the country, we ensure a similar degree of protection is afforded to it by transferring data only to countries that have been deemed to have an adequate level of protection for personal data. If a recipient country does not have adequate measures in place, we will instead ensure that contractual protections are in place.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the country.
9. Security and data retention
As a condition of employment, employees of the Group (“Group Employees”) are required to comply with all applicable laws and regulations, including the DP Laws. Access to Special Category Personal Data is limited to those Group Employees who need to it to perform their roles. Unauthorised use or disclosure of confidential client information by a Group Employee is prohibited and may result in disciplinary measures.
When you contact a Group Employee regarding the product or service we provide to you, you may be asked for some personal data. This type of safeguard is designed to ensure that only you, or someone authorised by you, has access to your records held by us.
How long we will hold your Personal Data for will vary and will be determined by the following criteria:
(i) the purpose for which we are using it – we will need to keep the data for as long as is reasonably necessary for that purpose; and
(ii) legal obligations – law or regulation may set a minimum period for which we have to keep your personal data.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
10. Your rights in all the above cases in which we collect, use or store your personal data, you have the following rights under the DP Laws:
(i) the right to obtain information regarding the processing of your personal data and access to the personal data we hold about you;
(ii) the right to withdraw your consent to the processing of your personal data at any time. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason for doing so. For example, we may need to retain personal data to comply with a legal or regulatory obligation;
(iii) the right to request that we rectify your personal data if it is inaccurate or incomplete;
(iv) the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data but we are legally entitled or obligated to retain it;
(v) the right to object to, or request that we restrict, our processing of your personal data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal data but we are legally entitled or obligated to refuse that request;
(vi) the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you; and
(vii) the right to lodge a complaint with the relevant data protection regulator if you think that any of your rights have been infringed by us.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You can exercise your rights by contacting us using the details set out in Section 12 below.
11. Changes to this Privacy Statement
We keep this Privacy Statement under regular review. We reserve the right to update this Privacy Statement at any time to comply with the DP Laws or other relevant law or regulation.
12. Contact Information
If you have any questions or concerns about the processing of your personal data, or about this Privacy Statement, please contact us by addressing the communication to the relevant Group entity at [email protected] or [email protected], or in writing to Cassini House, 57 St James’s Street, London SW1A 1LD.
We are usually able to resolve privacy questions or concerns promptly and effectively. If you are not satisfied with the response you receive, you may escalate concerns to the applicable privacy regulator in your jurisdiction. Upon request, the Group will provide you with the contact information for that regulator.