Data protection

General data protection statement

This General Data Protection Statement (Statement) provides information on how we process personal data in our dealings with you, including:

  • when you visit (our website) 
  • how we manage your marketing preferences and any email updates you request from us
  • if you visit any of our offices.

If your client has products with one of our subsidiaries, please refer to the Data Protection Statement made available by our subsidiary for information on how we process your client's personal data, in particular please see:

  • where you visit and/or the James Hay Online secure portal; and
  • where you visit and/or access the Nucleus Wrap.”


Our controller

Our controller

The controllers are The IPS Partnership Plc; IPS Pensions Limited; Nucleus Financial Group Limited and Nucleus Financial Services Limited, James Hay Administration Company Limited; James Hay Wrap Managers Limited; James Hay Services Limited.

All controllers can be contacted using the details below:

Nucleus Financial Limited
Dunn’s House
St. Paul’s Road
03455 212 414


The personal data we collect

Personal data

The personal data we collect can be from information provided by you or any third parties you instruct on your behalf. The personal data we collect about you may include (directly or indirectly):

  • Your contact details such as name, title, addresses, telephone numbers and email addresses
  • Voice recordings of any telephone conversations you have with us (see further below)
  • Data in relation to your preferences in receiving marketing communications from us or our third parties on our instructions and any survey responses you provide us
  • Certain technical data, including, internet protocol (IP) address, MAC address, your login data (if you have signed up to use James Hay Online), browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website
  • information about how you use our website and James Hay Online
  • We may collect further personal data from you if you take out a product with one our group companies .

Special categories of personal data and criminal convictions and offences data

Unless you have a product with us, we do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

Your marketing preferences

We may also ask for personal data optionally, such as in relation to us sending you direct marketing communications. If you opt-in to receive such communications, then the personal data you provide us may be used by us to track and analyse your engagement with our marketing emails (including when you opened the email). We do this in an effort to better improve our services and communications with you.

You have a right to withdraw consent at any time by letting us know. If you do this, we will no longer process your personal data for the reasons originally agreed to, unless there is another lawful basis for doing so. Your marketing preferences can be changed by clicking the link at the bottom of any one of our emails.

Aggregated data

We also process aggregated data such as statistical data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your information about how you use our website or James Hay Online to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Statement.


How your personal data is collected

We use different methods to collect personal data including through:

  • Interactions with you. You may give us your identity and contact data by filling in forms or by corresponding with us by post, phone, email, when you visit our premises or otherwise. This includes personal data you provide when you:
    • Deal with us in respect of any commercial relationship you have with us directly or on behalf of any customer of our products or services
    • Attend any of our offices
    • Subscribe to our email updates service
    • Request marketing information to be sent to you
    • Provide us with information in relation to any market research, such as surveys you take part in
    • Give us feedback generally.
  • Online interactions. As you interact with our website, marketing emails we send you and/or James Hay Online, we may automatically collect certain technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy www.nucleusfinancialplatforms/ for further details.
  • Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:
    • Certain technical data from analytics providers, such as Google based outside the EU, and search information providers
    • Certain identity and any contact data from publicly availably sources such as Companies House, the Electoral Register based inside the EU and via social media websites such as Facebook and LinkedIn (see further below).

Monitoring your communications with us

We monitor and record your communications with us in accordance with applicable laws. This includes telephone calls, emails, letters, faxes and any social media communications with us. We do this for the purposes of complying with legal obligations, to prevent and detect crime, quality control and monitoring purposes, to protect the security of our communication systems as well as our procedures and when we need to consider a record of what has been communicated.

Social media

We use social media websites, such as, but not limited to, Facebook, Glassdoor and LinkedIn, to interact with businesses and the public. If you choose to interact with us (including in respect of any competitions we run on social media), we may receive and store personal data from you, including the messages that you send to us in public or directly via the social media’s messaging system for proper governance and audit purposes.

We are not responsible for the security or protection of any personal data collected by social media websites. Please review the data protection statements and any policies of those websites before you use them.

Third party links

Our website may include links to third parties’ websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their data protection obligations. When you leave our website, we encourage you to read the data protection statements of each website you visit.


The lawful basis and purpose for processing personal data

Lawful basis

Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the commercial contract we have entered into with you, or in order to take steps, at your request, prior to entering into the commercial contract (“Contract Purposes”)
  • Where we need to comply with a legal or regulatory obligation (“Legal Purposes”)
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (“Legitimate Interests Purposes”)

We rarely rely on consent as a legal basis for processing personal data other than in relation to, for example, sending direct marketing communications to you (where you have opted-in to receive them).

You have the right to withdraw your consent at any time by contacting us using the details in this document.


Depending on our commercial relationship with you, your personal data may be used for the following purposes (which may overlap):

Contract purposes:

  • To run our commercial relationship with you including taking steps, at your request, prior to agreeing our commercial relationship with you
  • To communicate with you in the day-to-day running of our commercial relationship with you
  • To update our records

Legal purposes:

  • To provide personal data to others where it is necessary in the running of our relationship with you and for legal and regulatory purposes and related disclosures (which may mean passing your personal data to other James Hay Group companies including shareholders, reinsurers, investments managers, investment providers and other third parties involved in the servicing of your relationship with us)
  • When you contact us regarding exercising your rights under data protection laws
  • We may keep your personal data after our relationship has ended in accordance with applicable laws
  • For prevention, detection, investigation and reporting of crime, which may include providing your personal data to fraud prevention agencies
  • To monitor your communications with us (see further below)
  • For information security purposes
  • To contact you about our relationship with you
  • To comply with orders of the courts of competent jurisdictions, and for the establishment and defence of legal rights.

Legitimate interests purposes:

  • To ensure good and proper governance, administration, auditing, management of our business and our relationship with you
  • To conduct market research, analysis and to compile statistics to improve our products and services
  • To conduct marketing communications, subject to applicable laws
  • To monitor your communications with us (see further below)

Consent purposes:

We may ask for your consent. For example:

  • For certain direct marketing communications
  • For market research purposes

You are free to withdraw your consent at any time.

If you wish to change any of your marketing preferences, please do so by clicking the link at the bottom of any one of our emails.


Sharing personal data

We will share your personal data with others, including third party service providers and other entities in our subsidiaries respective group companies and our parent company, subject to applicable laws. We require third parties to respect your personal data and to treat it in accordance with the law.

When we share personal data with third parties

We will share your personal data with third parties when required by law, when performing a contract with you, when we have a legitimate interest to do so or otherwise with your consent.

Who we will share your personal data with

We may share your personal data with:

  • Our subsidiaries James Hay Partnership, Nucleus Financial Group our parent company IFG Group Limited and its subsidiaries
  • Third party subcontractors who help us provide our services to you, such as, IT services companies
  • Other companies involved in providing services to us
  • Our professional advisers, including accountants, auditors and lawyers
  • Governmental, regulatory and taxation bodies, such as the ICO, FCA and HMRC
  • Fraud prevention agencies
  • Market research companies for the purposes of improving our services
  • Mail and print companies for the purposes of contacting you
  • Any other third party permitted by law and in the following circumstances:
    • To protect the security of our business
    • To comply with courts of competent jurisdictions
    • In an emergency situation, in order to protect your vital interests
    • If we sell, merge, restructure or otherwise re-organise our business
    • When dealing with third parties upon your instructions

All our UK and EU third party service providers and other entities within our subsidiaries James Hay Partnership and Nucleus Financial Group and their parent companies must comply with data protection laws. We do not permit third party processors to use your personal data for their own purposes. We require third party processors to process personal data in accordance with our instructions.

Transferring data outside the EU

We share your personal data within our subsidiaries and our parent company IFG Group Limited and its subsidiaries.

Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one or more of the following is implemented:

  • You have provided your explicit consent
  • The country receiving personal data is deemed to provide an adequate level of protection for personal data by the European Commission
  • Specific contracts and supplementary measures approved by the European Commission are in place which give personal data the same protection it has in the EU

Data security

How we will keep your data secure

Nucleus Financial Limited has in place appropriate measures designed to keep your data secure, preventing it from being lost, stolen, altered, used, accessed or disclosed in an unauthorised way.

These measures include:

  • Limiting access of your personal data to only individuals that have a genuine need to see it
  • Only allowing these individuals to use your data in accordance with your/our instructions
  • Having procedures in place to deal with any suspected or confirmed breaches of our Statement.

Security of data

  • We use the Secure Sockets Layer (SSL) protocol while you are logged in. If you are using Internet Explorer, this is indicated by the padlock in the bottom of your browser window. The secure areas of our website are used when you have to access personal data. The secure areas of the website can be identified by the address in the top of your browser. An encryption-enabled address will begin https:// rather than the usual http://.
  • In order to access your login we require 3 pieces of information from you to verify that you are authorised to view the details. First a user ID is required, secondly a password is needed and finally a passcode. Only once all three parts of the data are confirmed as being correctly entered will we allow access to the system.
  • All our online transactional services are protected by ‘firewalls’. This technology monitors and prevents any unauthorised access to our back-end systems in an effort to ensure that unauthorised users cannot access any account/personal details.

Your key data protection rights

Under certain circumstances, by law you have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request corrections to the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it, this is subject to the mandatory document retention period having expired. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to another party. Please contact us.
  • Make a complaint to the Information Commissioner’s Office (ICO). You have a right to complain to the UK’s data protection supervisory authority – the ICO. We have provided contact details for the ICO below.

If you want to exercise your rights, please contact us using the details above.

You will not have to pay a charge to access your personal data (or to exercise any of the other rights). However, we may make a reasonable charge if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed.

Please keep us informed

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.


Other important information

Record retention

We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Automated decision making

Nucleus Financial Limited does not conduct automated decision making. Automated decision making is where personal data is used to make decisions without any human intervention, for example banks using credit scoring for credit card and loan applications.

The Information Commissioner’s Office

You can obtain general data protection information or exercise your right to make a complaint if you feel we have not handled your personal data correctly, by contacting the Information Commissioner’s Office at:

Information Commissioner’s Office
Wycliffe House
Water Lane
0303 123 1113


Cookies’ a small file of letters and numbers stored on your Internet browser or the hard drive of your computer.

A ‘controller’ determines the reasons for and method of processing your personal data. A controller will normally process your personal data, but may appoint another person or company to process your personal data on the controllers’ behalf.

The Financial Conduct Authority (FCA) is the regulator of the financial services industry in the UK.

Her Majesty's Revenue and Customs (HMRC) is responsible for the collection of taxes in the UK.

The Information Commissioner's Office (ICO) is the supervisory authority responsible for monitoring adherence to data protection regulations in the UK.

Personal data’ is information which by itself or combined with other information, can be used to identify you.

A ‘processor’ processes personal data on behalf of the controller. For James Hay, this is a company with the James Hay Group or a third party in certain instances. Where a third party processor processes personal data on your behalf, we will ensure that we comply with the law