Privacy Policy

A quick summary

We collect personal information and usage data in various ways to help us provide our services. We share this data with select third parties to help us achieve this, and to help us reach more people who may benefit from our service. 

Who are we?

We are Shack Media Limited, a financial education company registered in England & Wales (13750443).

We take your privacy seriously.

If you have any questions about this policy or need to get in touch with us, you can do so by:

Post - 4th Floor, 399-401 Strand Strand, London, England, WC2R 0LT

Email - support@james-shack.co.uk

We’re registered with the Information Commissioner’s Office under reference ZB493910

Our Commitment

We are committed to protecting your personal information and other data provided. If we request information from you which could be identified (”personal data”), information of this type will only be used in accordance with this Privacy Policy. We will be the controller for your data when you sign up for or purchase a product or service with us. We may also act as a data processor, where you gained access to our products or services through another company.

It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Policy supplements the other notices and is not intended to override them.

Lawful Basis of Processing

Under data protection laws, we must have a legal basis in order to process your personal data. The legal bases on which we may process your data are:

Consent: where you have consented for us to process your personal data for one or more specific reasons

Performance of a contract: in order to perform a contract we have with you

Legal obligation: where processing of the data is required by law. 

Legitimate interest: to carry on the purposes of our business. We also have a legitimate interest in:

• preventing fraud and money laundering and to verify identity, to protect our business and our customers;

• understanding how people interact with our website; 

• providing communications which we think will be of interest to you; and

• determining the effectiveness of promotional campaigns and advertising.

What information do we hold about you?

We will collect and use different personal information about you for different reasons, depending on our relationship with you.

Generally, we will hold information you provide to us during our interactions and conversations with you:

• for example, information you provide when completing sign-up forms and subscribing to mailing lists (like your name, date of birth and email address);

• information on how you use our online services, including our website, for example we collect data from your device, such as operating system and mobile network to analyse performance and fix issues. We also collect IP address, ID, location and other technical usage data;

• information you give us explicit permission to access from your device such as your address book, photos, geolocation and data from your camera;

• information from any online account that you share with us;

• Information you post on community groups;

• recordings of your meetings with us; and

• answers you give to surveys about our services.

Sensitive or Special Category Data

We may need to collect sensitive personal data, including information relating to your health, to help us provide and adapt our services to your needs. 

How do we use your information?

We may use your personal data for the following purposes:

• to provide the requested services to you or direct you to products and services;

• to monitor traffic patterns and usage of our websites to help improve the website design and layout;

• track, analyse and improve the services we provide you and others;

• to prevent illegal activities like fraud;

• to record and store communications made via phone, video call, email or online chat functions;

• to personalise your experience on our websites or communications/advertising;

• to provide customer service, including to respond to your enquiries and fulfil any of your requests for information;

• to send you important information regarding the services and/or other technical notices, updates, security alerts, and support and administrative messages;

• with your permission, provide you with information about other products or services offered by us or another company; and

• as we believe to be necessary or appropriate:

• in order to comply with a legal obligation. This applies where the processing is necessary for us to comply with the law;

• to enforce or apply this Privacy Policy; and

• to protect our legitimate rights, privacy, property or safety, and/or those of a third party and your rights do not override those interests.

When we use your “sensitive or special category data", we must have an additional “lawful basis" and we will rely on the following lawful basis in these circumstances:

• it is in the substantial public interest to comply with regulatory requirements relating to unlawful acts and dishonesty – such as carrying out fraud checks;

• you have given your explicit consent to our use of your sensitive data; and

• there is a substantial public interest in the prevention and detection of unlawful acts such as where we suspect fraud.

Who do we share your data with?

We will not disclose your personal data to third parties other than as described in this section unless it is otherwise legally permitted or required to do so.

We may transfer your personal data to third parties of the following types:

• technology firms that provide the software, tools, testing and infrastructure we require;

• third party service providers which maintain, administer or develop the website, internal systems and tools that we use. 

• companies providing analytics services;

• data, service and software providers;

• companies collecting and publicising customer reviews;

• marketing services companies, including search engine and social media providers;

• regulatory and law enforcement bodies.

We do not sell your personal data to any third parties.

We may send your information outside of the European Economic Area (EEA) for processing or use in accordance with this Privacy Policy. As mentioned above, we will only transfer your data where suitable safeguards have been put in place.

These safeguards are intended to ensure a similar degree of protection is afforded to your data wherever it may be transferred and include: 

• only transferring your personal data to countries which have been deemed to provide an adequate level of protection for personal data by the European Commission;

• where your data will be transferred outside of the EEA, entering into specific contractual terms which have been approved by the European Commission and which give personal data the same protection as within the EEA; or

• where your data will be transferred to the US, ensuring that the third party to which we are transferring your data is part of the EU-U.S. Data Privacy Framework (DPF) or UK-US Data Bridge.

Use of AI and Automated Decision-Making

We use AI and automated decision-making processes in the following ways:

• Customer Service: To provide responses to queries and deliver relevant content you, for example when using an online chat tool;

• Back Office: To record, summarise and transcribe meetings;

• Fraud Detection: To monitor for suspicious activity to protect against fraud.

Legal Basis for Processing with AI:

The use of AI and automated decision-making is based on the following legal grounds under UK GDPR:

• Consent: Where you have provided explicit consent for the use of AI in our services.

• Contractual Necessity: Where AI processing is necessary for the performance of a contract with you.

• Legitimate Interests: Where AI processing is in our legitimate interests and not overridden by your data protection rights.

How long do we keep it for?

Your data will only be retained for as long as it is still required to provide you with services or is necessary for legal reasons. We will not retain your personal data for longer than is necessary.  

The length of time we retain your data for will depend on the nature and sensitivity of the data, the purposes for which we are processing the data and any applicable statutory retention periods. Using these criteria, we regularly review the personal data which we hold and the purposes for which it is held and processed.

For the following reasons, we may retain your data for up to 10 years after you stop being our customer:

• to respond to a question or complaint, or to show whether we gave you fair treatment;

• to study customer data as part of our own internal research;

• to obey rules that apply to us about keeping records.

We may retain your personal data for longer than 10 years if that is required for legal, regulatory or technical reasons.

When we determine that personal data can no longer be retained or where you request that we delete your data in accordance with your right to do so (please see below for more information), we ensure that this data is securely deleted, anonymised or destroyed.

However, please note that, in some circumstances we may decide to retain your personal data for research or statistical purposes and, in such circumstances, we will anonymise your data before retaining it.

Accuracy of your data

It is important that the personal data we hold about you is accurate and up to date. Please let us know if your personal circumstances or data change during your relationship with us.

Security of your data

The security of your data is important to us and we will therefore, only transfer your data to such third parties if one or more of the following apply:

• you have expressly consented to your data being shared with specific third parties;

• the third party needs to access the personal data for the purposes of providing any contracted services to you;

• the third party has agreed to comply with our instructions, required data security standards, policies, and procedures and put adequate security measures in place;

• the transfer complies with any applicable cross border transfer restrictions and suitable safeguards have been put in place; and

• a fully executed written contract that contains suitable obligations and protections has been entered into between the parties.

To protect your personal data, we have appropriate organisational and technical security measures. These measures include storing data on a dedicated and secure server with at least 256-bit encryption, restricting access to your personal data to certain employees, ensuring our internal IT systems are suitably secure, and implementing procedures to deal with any suspected data breach.

In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if appropriate, will notify you and any applicable authority of such a breach.

In addition to the above, where we have given you (or where you have chosen) a password which enables you to access certain parts of the website or some of the services we provide on third party sites, you are responsible for keeping this password confidential and should not share your password with anyone. When setting a password you should make it as secure as possible and not use the same password for different purposes.

Communications you may receive from us

Service communications - We may process your personal data to send you important information, such as changes to our existing services, if we have a contractual relationship with you. These are called service communications and you may receive them via email, phone, post and/or SMS. As service communications are crucial for us being able to deliver the service you signed up for, you will not be able to opt out from receiving them unless you stop using our service completely.

Direct marketing communications - We may process your personal data to send or display direct marketing communications to you, via email, phone, post, SMS, social media, search and display networks. We will do so only if we have a legitimate interest or you have given us your consent to receiving such communications. 

Where we rely on our legitimate interests, you can object to processing at any time by contacting us directly using the contact details provided in the How to contact us section at the end of this policy. Alternatively, where we process your personal data for direct marketing purposes based on your consent, you can change and manage your marketing preferences, including withdrawing your consent, by contacting us directly or clicking the “unsubscribe” link in emails. If you do opt out of marketing communications, you may still see some marketing material, however, it will not be tailored to you.

Personalised marketing communications on social media, search and display networks

We may share your personal data with third party social media and search and display network providers for the purpose of displaying tailored marketing communications to you and/or “custom” or “lookalike” audiences. Custom and lookalike audiences are other users who possess similar interests and characteristics as you. To create these we may upload your personal data to third party platforms, who will then match that data with the data they collect and hold about their platform users in order to create custom and lookalike audiences for us. When they do this, the third party act as our data processors. However, when they perform subsequent data processing in order to display personalised marketing communications to custom and lookalike audiences based on the criteria we select, they may perform further data processing as independent or joint controllers. To find out more about the third parties we may work with and their data processing practices, please see the table below: