Privacy Policy

June 2024

Who we are

Ekorn is a trading name of Umbra Capital Partners LLP (referred to herein as “Ekorn”, “us”, “our”,” we”). Umbra Capital Partners LLP is a Limited Liability Partnership registered in England and Wales at C/O Oakford Advisors Ltd, The Bee House, 140 Eastern Avenue, Park Drive, Milton Park, Oxford, England, OX14 4SB (Number OC425068), and authorised and regulated by the Financial Conduct Authority (Firm Reference Number: 917090). Umbra Capital Partners LLP is authorised and regulated by the Financial Conduct Authority.

Ekorn is committed to processing personal data in line with our responsibilities under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018. Our offices are in London.

Our contact details:

Name: Ekorn

Address: 10 Lower James Street, London, W1F 9EL

E-mail: [email protected]

Compliance team/data protection officer:

If you need more information about the personal data we process, your rights or have any concerns about your personal data or our processing, please contact us at [email protected]

How Ekorn Collects Your Personal Data

Ekorn will use different methods to collect data from and about you including by:

Our services

Ekorn website

We are data controllers for any personal data we receive when contacted by you directly or via our website.

Ekorn products, services and technology

Where customers use our products, services or technology or integrate with our API, they are data controllers and we are data processors to those customers and their end-users’, where we are providing them with a product or service.

What personal data do we collect and process?

Ekorn website

  • details about how you use our website

Ekorn products, services and technology

  • title
  • your name (first name, last name)
  • address
  • email address
  • marital status
  • employment status
  • login credentials – username/password
  • account ID
  • telephone/mobile phone number
  • date of birth (DOB)
  • national insurance number (NINO)
  • nationality
  • gender
  • purchases, orders, payments made by you
  • products and services your purchased from us
  • your feedback about our services and products
  • details about how you use our platform, products, services
  • we may also process Anti-Money Laundering (AML) information provided to us by third parties, due to our regulatory obligations.

How we collect and process personal data

We use different methods to collect and process personal data from or about you, including:

Cookies

When you browse our website we collect data, via cookies, about your browsing actions, equipment, and patterns. Cookies also help us improve your website experience, for more information about cookies, see our Cookie Policy. You can choose not to accept cookies in your browser, but this may affect some website functionality or features.

Third parties or publicly available sources

We may receive personal data about you from third parties or via public sources, including:

  • analytics providers such as Google - outside the UK
  • identity and contact data – financial advisers.
  • identity and contact data - from publicly available sources.

How we use your personal data and lawful basis

Our primary purpose for processing your personal data is to provide the products, services, or technology you requested. In line with data protection laws and regulations, we only process personal data where we have a lawful basis for doing so. Our lawful bases for processing are:

Where we provide products or services to you through your relationship with your financial adviser (contractual basis)

Where we have legal or regulatory obligations (legal basis)

Where you have given us your explicit consent (consent basis)

Where it is in our (or our third party’s) legitimate interests and where those interests do not override your interests, rights, or freedoms (legitimate interests’ basis)

Contractual basis

processing your personal data where it is necessary for the performance of a contract, which you are a party or to take steps, at your request, before entering a contract.

to administer and/or manage the products, services, or technology that you signed up for

to contact you with important information regarding your contracted products, services, or technology

Legal and regulatory basis

processing your personal data where it is necessary for compliance with legal and regulatory obligations that we are subject to, including HM Revenue & Customs; Financial Conduct Authority (FCA) and Information Commissioner’s Office (ICO) and other United Kingdom authorities who require us to report information to them in specific circumstances.

Consent basis

where you consent to us contacting you when necessary, including routine communications or to share updates about our services and newsletters.

where you consent or opt-in to receive direct marketing communications from us, or a third party, via online, phone, email, or text message.

where you consent to receiving information about recommended goods, services or promotions that interest you.

Consent and legitimate interest bases

where you consent to us sharing your personal data with our partners, for managing internal business processes and our services to you, in the most effective way.

Changing your mind – (opting-out)

if you change your mind and no longer consent to receiving information from us, you can opt-out (at any time), by simply contacting us or associated third parties.

Legitimate interest basis

to improve and develop our products, services, and internal operations, including troubleshooting, data analysis, testing, market research campaigns, statistical and survey purposes.

to provide a tailored and personal experience when using our online products and services

to measure or understand the effectiveness of relevant advertising provided by us.

to measure, understand and gain feedback on the effectiveness of our services, allowing us to enhance and improve the services we provide.

to allow us to continually improve our technology by understanding the way our products and services are used by you.

Your legal rights as data subjects

When processing your personal data, we must consider the following individual rights, that you are granted (as a data subject) under data protection laws.

Right to be informed

  • you have the right to request that we confirm whether we are processing your personal data or not.
  • you have the right to be given our contact details.
  • you have the right to request name and contact details of our representative or data protection officer.
  • you have the right to request the purposes of processing.
  • you have the right to request the lawful basis for processing.

Right of access

  • you have the right to access your personal data – commonly known as a subject access request (SAR)
  • subject access requests can be made by contacting us verbally, or in writing (email, letter)
  • we cannot charge a fee to deal with a request in most circumstances.

Right to rectification

  • you have the right to have inaccurate personal data corrected or completed, where it is incomplete.
  • you can make a request for a rectification or correction by contacting us verbally, or in writing (email, letter)
  • there are some limited circumstances, where we can refuse a request for rectification or correction.

Right to erasure (or the right to be forgotten)

  • you have the right to have your personal data erased or deleted - also known as ‘the right to be forgotten’.
  • right to erasure requests, include circumstances where you successfully exercised your “right to object.”
  • you have the right to request your personal data is erased or deleted - where your personal data is no longer necessary for the purpose it was originally collected or processed for
  • you have the right to request your personal data is erased or deleted – where we are relying on consent as our lawful basis for holding your data and you withdraw consent
  • you have the right to request your personal data is erased or deleted – where we are relying on legitimate interests as our lawful basis for processing, where you object to the processing and there is no overriding legitimate interest to continue processing
  • you have the right to request your personal data is erased or deleted – where we are processing your personal data for direct marketing purposes and you object to that processing
  • you have the right to request your personal data is erased or deleted – where we have processed your personal data unlawfully (i.e. in breach of the lawfulness requirement)
  • you have the right to request your personal data is erased or deleted – where we have to comply with a legal obligation
  • you can make a request for erasure by contacting us verbally, or in writing (email, letter)
  • BUT the right is not absolute and only applies in certain circumstances, i.e., legal, or regulatory requirements may override your request.

Right to restrict processing

  • you have the right to request a restriction or suppression to processing your personal data.
  • when processing is restricted, we are permitted to store the personal data, but not use it.
  • right to restrict processing requests, include cases where:
  • you ask us to establish the accuracy of personal data.
  • we may have used your personal data unlawfully, but you do not want it to be erased.
  • you want us to hold the personal data, where there is no longer a requirement for us to process it i.e., where you need to establish, exercise or defend a legal claim OR where you have objected to processing and we need to verify whether there are overriding legitimate grounds.
  • you can make a request to restrict processing by contacting us verbally, or in writing (email, letter)
  • BUT this is not an absolute right and only applies in certain circumstances.

Right to data portability

  • you have the right to data portability, where you request to obtain and reuse your personal data, for your own purpose, across different services, which includes history of website usage or search activities and/or location data.
  • BUT this right only applies to information you provide us, where we are considered a data controller.

Right to object

  • you have the right to object to us processing your personal data in certain circumstances – where we are relying on a legitimate interest (or those of a third party).
  • you have an absolute right to object and stop your personal data being used for direct marketing.
  • you can make a right to object request by contacting us verbally, or in writing (email, letter)
  • BUT in certain cases, where the right to object applies, we may be able to continue processing if we can show that we have a legitimate reason for doing so, that does not conflict with your rights, interests, or freedoms.

Automated decision making and profiling

  • you have the right not to be subject to automated decision making (deciding something solely by automated means without human involvement), including profiling, where it results in a legal or significant negative impact on you.
  • you have the right to request an explanation of any logic, where automated decisions are made about you.

Right to complain

You have the right to complain to us, or against us to the ICO, at any time. In the first instance, we would like to be given the chance to deal with your concerns, before you approach the ICO, by contacting, [email protected].

Alternatively, you can contact the Information Commissioner’s Office (ICO), the UK’s supervisory, regulatory authority, for any concerns you have over our handling of your personal data

Responding to your requests (subject access requests - SARs)

We have one calendar month to respond to your request, but we may extend the time by a further two months if your request is complex or we have multiple requests from you. However, we will always let you know within one month and explain why any extension may be necessary.

If you need more information about the personal data we process, your rights or have any concerns about your personal data or our processing, please contact us at [email protected].

In most cases there is no fee applicable to personal data or rights requests, however, we reserve the right to charge a reasonable fee to cover any administrative burden, where your request is unfounded, overly excessive, or duplicates information previously received.

Disclosure to third parties (sub-processors)

We may disclose your personal data to third-party sub-processors on occasions where we cannot reasonably perform the processing activity ourselves or where we have made a business decision to do so. Where a sub-processor is used, we always perform due-diligence and/or define contractual clauses to ensure they adhere to our data protection, security and data privacy requirements.

Our website – sub-processors and locations

customer relationship management (CRM) - EU

surveys or process feedback - EU

web and usage analytics - US

Our products, services and technology – sub-processors and locations

cloud infrastructure services – UK data centres

database managed services – UK data centres

IT management and administration services – UK

Third-party links

Our website, products or services may include third-party links or associations to applications, contributors, plug-ins and/or other websites. Clicking on these links or enabling connections may allow third parties to collect or process personal data about you. We do not control third-party websites and are not responsible for their privacy statements. When you leave our website, please ensure you review and consider any third-party privacy policies.

International transfers

On occasions where we process your personal data outside the UK, we take appropriate measures to ensure that your personal data and rights are given equivalent levels of protections, granted under UK data protection laws. In these cases, we consider the following:

  • is the transfer to another country or territory covered by adequacy regulations?
  • is the transfer to the US under the UK Extension to the EU-US Data Privacy Framework?
  • are we relying on transfer mechanisms and transfer risk assessment (TRA) under UK GDPR:
  • International Data Transfer Agreement (IDTA) OR
  • International Data Transfer Addendum (Addendum) – under UK GDPR, we cannot rely solely on new EU Standard Contractual Clauses (SCC) and must include the UK Addendum.

Personal data security

The protection and security of your personal data is our priority, where we take a layered approach to our security controls across the following areas: organisation, people, physical, and technology, and we align with international security standards and frameworks.

Storage and retention

We store and retain (keep) your personal data for as long as reasonably necessary to fulfil the purpose it was originally collected. We also keep it for additional purposes, where we are obligated to satisfy accounting, legal, regulatory, reporting and tax requirements. On limited occasions, we may keep personal data longer, where you raise a complaint against us, or where we reasonably believe there is a prospect of litigation.

Privacy policy last update

We aim to keep this privacy policy under regular review in line with our legislation and regulatory requirements. Last review and updated date: 30th June 2024.