Privacy policy

Introduction

NewFlex Limited (the “Operator”) registered in England No 05432553 Registered office 140 Aldersgate Street, London EC1A 4HY, acting on behalf of its Client British Overseas Bank Nominees Limited (registered in the United Kingdom with company number 00220905) and WGTC NOMINEES LIMITED (registered in the United Kingdom with company number 01255218) both of 250 Bishopsgate, London EC2M 4AA in their capacity as nominees for and on behalf of NatWest Trustee and Depositary Services Limited as trustee (and not otherwise) of the St James's Place Property Unit Trust. (the “Owner”) (“the Parties”) are committed to implementing leading data protection standards and to respect human rights in data management.

This policy sets out how the Parties will collect, use and protect an individual’s personal data, including data from NewFlex’s and its partner websites. It will also inform you about your privacy rights and how the law protects you. the Parties are also committed to obtain user data through lawful and transparent means, with your explicit consent, where required and will only collect and process your data, limited to the stated purpose. If you have any questions about this Privacy Notice or any questions or concerns regarding the manner in which your personal data is being processed, then please send your query to the Data Protection Officer, detailed below.

1. How Your Personal Data is Collected

the Parties are the Data Controllers for personal data about members, partners, event attendees, newsletter subscribers or when sending marketing material, which you expect to receive or have consented to receive.

the Parties use different methods to collect data from and about you including through:

Direct Interactions – you may give us your identity, contact and financial data by filling in forms or by corresponding with us by website, social media, post, phone, email or otherwise. This includes personal data you provide when you: • register as a user of our products or services; • subscribe to our publications; • request marketing communications to be sent to you or you update your marketing preferences; • respond to a promotion or survey; • attend seminars, training or other events; • provide feedback the Parties will also collect anonymised statistics to improve its website.

2. The Data we Collect about You

Personal data means any information about an individual from which that person can be identified. It does not include anonymised or aggregated data, where it is not possible to identify an individual from the data. We may collect, use, store and transfer different kinds of personal data about you: • Identity Data includes first name, maiden name (for security reasons), last name, username or similar identifier, marital status, date of birth and gender. • Contact Data includes billing address, postal address, email address and telephone numbers. - Financial Data includes bank account details • Transaction Data includes details about payments to and from you and other details of products and services • Technical Data includes internet protocol (IP) address, your log-in data, browser type and version, operating system and platform and other technology on the devices you use to access this website, products you viewed or searched for, length of visits to certain pages and page interaction information (such as scrolling, clicks and mouse-overs). • Profile Data includes your username and password, purchases or orders made by you and any requests for support, your interests, preferences, feedback, survey responses, promotion responses and where you have registered for training or an event.

3. Your Legal Rights (including Access to Your Data)

Under certain circumstances, you have rights under data protection laws in relation to your personal data. the Parties will only use your personal data when the law allows us to. As an individual whose personal data is processed by the Parties, you have the right to: Be informed (which is the purpose of this Privacy Notice); • access the data the Parties hold about you. Object to direct marketing (by contacting the Parties at the address below or by email to [email protected]); • Object to any processing carried out on the basis of legitimate interest (to undertake the service that you would expect or in line with a contract); • Request erasure of data the Parties hold about you (in some circumstances, this may not be possible if the Parties has a legal obligation to retain it); and, • Request that your data be restricted or blocked from processing. The General Data Protection Regulation (“GDPR”) includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. An individual can make a request for rectification verbally or in writing and the Parties have one calendar month to respond to a request. You have the right to know if the Parties are processing your personal data, and if so, to be provided with a copy of such personal data, along with other supplemental information, regarding the nature and scope of the processing. It is important that such requests are handled fairly, ensuring that the application of those rights do not undermine other obligations, such as preserving the data protection or privacy rights of third parties, preserving any confidential duties and ensuring compliance with law enforcement activity. To exercise any of these rights, write or email your request to Joanne Wilkinson, Data Protection Officer at the address below or by email to [email protected]. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. the Parties will confirm to you that inaccurate personal data has been rectified or completed if it is incomplete.

4. Contacting You

the Parties will only contact you if you’ve asked to be contacted or if your contact details are featured in a third-party contact list, in which you’ve been included by consent. You have the ability to opt-out of being contacted by the Parties at any point. You will receive telephone or emails from the Parties if you have contacted us using an online contact form. the Parties also engage in business to business marketing activity.

5. Your Duty to Inform us of Changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes, by contacting us.

6. Storing Your Data

the Parties will store your data securely and do its utmost to protect your data and privacy using suitable security technology. the Parties may contract with third parties to process your data on its behalf and they will do so in accordance with our principles and instructions and not for any other purpose. the Parties will require any third parties with whom your data is shared, to comply with our company policy. the Parties will ensure that any third parties used in connection with the running of its website and services (for example, hosting providers) act according to its strict contractual obligations.

7. Changes to this Policy or Data Breach

the Parties will keep this Privacy Notice under regular review and will publish any changes to this policy on its websites. Where the changes to this policy are significant, the Parties may also choose to email all of its registered users with the new policy. the Parties will also notify individuals of any data breach which affects you and will undertake incident investigation and corrective action to minimise the incident re-occurring.

8. Use of Cookies and Web Beacons (Pixels)

the Parties will collect anonymised statistics using cookies and pixels. A cookie is a small computer file containing letters and numbers, which a website may send to a user’s computer to improve their experience. the Parties use cookies to: • collect anonymised data about the number of visitors to its website (and pages), so that it can improve the website and ensure that content is easy to find and engaging; and, • remember preferences for text size and colour, for example. For information on controlling cookies visit: https://www.aboutcookies.org A pixel is a small tracking image inserted into some of our marketing and communications to track engagement. the Parties use pixels to: • collect anonymised data about the number of times an email has been opened and read (if at all), so that it can determine the impact of specific email campaigns; and, • collect anonymised data about when an email has been opened and read and the type of device used, so that it can better understand the customers it serves. For information on pixels and other web beacons visit: https://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made

9. Anonymised Data

the Parties will only share anonymised data or anonymised and aggregated data about its users with advertisers or other third parties.

10. Security Procedures and Staff Training

The GDPR requires the Parties to follow strict security procedures when storing and disclosing information that you have given us, to prevent unauthorised access. the Parties will not sell, trade or rent your personal information. the Parties may provide aggregated data about its customers, sales, traffic patterns and related site information to reputable third parties but this data will never include personally identifying information. Data processors given access to your data to provide services on behalf of the Parties are subject to contractual restrictions to ensure that your data is protected. Your data will not be used independently by any such third party. the Parties reserves the right to access and disclose personally identifying information about you to comply with applicable laws, to comply with lawful government requests, to operate its systems properly and to protect its users. All NewFlex staff are required to undertake and pass annual data protection and cyber security training. Where required, NewFlex will provide additional training to those areas of the business that NewFlex considers to be at a higher risk.

11. Data Retention

the Parties will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements To determine the appropriate retention period for personal data, we consider any applicable legal requirements, together with the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means.

12. Legal Information under the GDPR

For the purposes of the GDPR, Joanne Wilkinson is the Data Protection Officer for NewFlex and can be contacted at: NewFlex Limited, 140 Aldersgate Street, London, EC1A 4HY, United Kingdom. Alternatively, you can email [email protected] Any queries regarding the Parties use of data and its data policies should be addressed to the NewFlex Data Protection Officer. For further information about the Parties data protection processes, please refer to our separate data protection policy.

13. Your Right to Complain

If you think that there is a problem with the way the Parties handle your data or if you have a complaint, then please direct it to NewFlex’s Data Protection Officer, using the contact details set out in section 9 of this Notice. You also have the right to contact the Information Commissioner’s Office at: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. January 2022