Root Privacy Policy
You should have a short-form privacy policy or fair processing policy at the actual point when you collect data from an individual.
As we see from this template and ICO’s guidelines, they recommend simple and short privacy policies. As such, there is no need to create a complicated and long policy. The most important part of the policy is the information you fill in based on the data collection and processing you’re planning to do, including the types of personal data you collect and how you plan to use such data.
Our contact details
Name: Resolut Shareholder Services Ltd (trading as “Root")
Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Phone Number:
E-mail: info@rootinvestors.io
Last updated: June 2024
This privacy policy aims to give you information on how Root collects and processes your personal data through your use of this website and Root’s applications and products.
The type of personal information we collect
[Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).]
We currently collect and process the following information:
· Personal identifiers, contacts and characteristics (for example, name and contact details)
· [Add to this list as appropriate]
TO DISCUSS WITH FF
· Contact Data includes [billing address, delivery address, email address and telephone numbers].
· Financial Data includes [bank account and payment card details]. •
· Transaction Data includes [details about payments to and from you and other details of products and services you have purchased from us].
· Technical Data includes [internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website].
· Profile Data includes [your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses].
· Usage Data includes [information about how you use our website, products and services].
· Marketing and Communications Data includes [your preferences in receiving marketing from us and our third parties and your communication preferences].]
[We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity.]
How we get the personal information and why we have it
Will fill in table with the above information and it's uses post meeting with FF
The below section applies to both Root’s website and applications.
Most of the personal information we process is provided to us directly by you for one of the following reasons:
· [Add the reasons you collected personal information]
· Self reminder to include ensuring eligibility to make an account (verification)
You may include, for example the following reasons. It is important that you list the reasons you’re intending to use user data.
- to provide you our services;
- to contact you by email or push notification regarding updates or informative communications related to functionality, products or contracted services, when necessary or reasonable for their implementation
- To provide you with news, special offers and information about the service
- To manage your requests to us
[If applicable] We also receive personal information indirectly, from the following sources in the following scenarios:
· [Add the source of any data collected indirectly and why you collected the personal information]
· Ask FF about extra data and add in appropriate links
Example:
Technical data from the following parties:
(a) analytics providers [such as Google based outside the UK];
(b) advertising networks [such as [NAME] based [inside OR outside] the UK]; and
(c) search information providers [such as [NAME] based [inside OR outside] the UK].
• Contact, Financial and Transaction Data from providers of technical, payment and delivery services [such as [NAME] based [inside OR outside] the UK].
• Identity and Contact Data from data brokers or aggregators [such as [NAME] based [inside OR outside] the UK].
• Identity and Contact Data from publicly available sources [such as Companies House and the Electoral Register based inside the UK].
We use the information that you have given us in order to [list how you use the personal information].
You should also clearly identify any non-obvious personal data uses, for example, data used for profiling, automated decision-making and direct marketing purposes.
Example from Strabo’s privacy policy:
- To provide and maintain the service
- To manage your account and registration of the user to the service
- To contact you by email or push notification regarding updates or informative communications related to functionality, products or contracted services, including security updates, when necessary or reasonable for their implementation
- To provide you with news, special offers and information about the service
- To manage your requests to us
- To send you rewards
We may share this information with confirm with FF [enter organisations or individuals].
Article 13 of the UK GDPR requires a privacy policy to disclose all recipients or categories of recipients of the personal data.
It is recommended to provide information on the actual (named) recipients of the personal data if possible. However, if the recipients tend to change quickly, it is better to include categories of recipients instead.
Where categories are used, the information provided should be as specific as possible about the categories of recipients (that is, include the activities of the recipient and the industry they are in (with sector and sub-sector) together with location of the recipient).
[• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.]
This section can/should be inserted to specifically reserve the right to transfer or disclose personal data in connection with a sale of the business or its assets
[International transfers]
[Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.]
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented [DELETE AS APPLICABLE]:
• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data. For further details, see [ ].
• Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK. For further details, see [ ].
• [OTHER].]
The UK GDPR restricts transfers of personal data outside the UK unless the recipient country provides adequate protection for the personal data, or other safeguards are in place.If you want to transfer the personal data collected across international borders or use external service providers (such as IT providers) in other jurisdictions and personal data may need to be transferred to those third parties for the performance of the services, you should include a section regarding the transfer.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are: [delete as appropriate]
You must determine your lawful basis before you begin processing, and you should document it.
(a) Your consent. You are able to remove your consent at any time. You can do this by contacting info@rootinvestors.io
In most cases, online businesses will not need consent to process personal information other than for processing special categories of data If data processing is based on consent, the individual has the right to withdraw consent at any time without any justification Data subjects must be informed of their right to withdraw their consent and consent must be as easy to withdraw as it is to give.
(b) We have a contractual obligation.
You can rely on this lawful basis if you need to process someone’s personal data:
- to deliver a contractual service to them; or
- because they have asked you to do something before entering into a contract (eg provide a quote).
The processing must be necessary. I think contract is one of the lawful basis that Root can rely on.
(f) We have a legitimate interest.
How we store your personal information
Your information is securely stored.
Or [We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.]
You must:
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.
• Ensure that anyone acting under their authority who has access to the personal data does not process it except on their instructions, unless required to do so by domestic law.
You can include the above section to confirm that you’re complying with the above obligations. But you should not make false promises or statements.
We keep [type of personal information] for [time period]. We will then dispose your information by [explain how you will delete their data].
OR
[We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
OR
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for [six] years after they cease being customers for [tax] purposes.]
In some circumstances you can ask us to delete your data: see your rights below for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.]
You are required not to retain personal data in a form that enables customers to be identified for longer than is necessary to fulfil the purposes the data was collected for. If you’re planning to create a data retention policy, you may wish to link to your data retention policy from this privacy policy.
If specific retention periods are not available, businesses may wish to include the criteria used to determine that period.
Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at info@rootinvestors.io if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at info@rootinvestors.io
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk