Privacy. Data.
Rights.
This notice applies to all personal data collection and processing activities carried out by Springwood Capital (UK) Limited in its capacity as a data controller. Personal data processed on behalf of our clients via the Springwood platform is governed by separate data processing agreements, not by this notice.
- Controller
- Springwood Capital
(UK) Limited - Co. No.
- 06548824
- Jurisdiction
- United Kingdom
- Framework
- UK GDPR
DPA 2018
EU GDPR (where applicable) - Last updated
- TBD
(to be confirmed)
Controller, scope
and contact
Who we are. What this notice covers.
Purpose of this notice
This notice explains how Springwood Capital (UK) Limited collects and processes personal data through your use of this website and your engagement with us — including any data you provide when you request a briefing, enter into a pilot or commercial agreement, communicate with our team, or use the Springwood platform under a client account.
Please read this notice together with any other privacy or fair-processing notice we may provide on specific occasions, so that you are fully aware of how and why we use your personal data.
Two roles to distinguish
Springwood acts in two distinct roles for data protection purposes:
- i.As controllerFor personal data relating to website visitors, prospects, current and former client contacts, and recipients of Springwood communications. This notice covers that role.
- ii.As processorFor personal data uploaded into, generated within, or processed via the Springwood platform on behalf of a client institution. That processing is governed by the data processing agreement (DPA) executed with the client, not by this notice.
Controller
Springwood Capital (UK) Limited, registered in England & Wales (Company number: 06548824) is the controller and is responsible for the personal data described in this notice (collectively referred to as "Springwood", "we", "us" or "our").
If you have questions about this notice, or wish to exercise any of your rights as a data subject, please use the contact details below.
Contact details
- i.Legal entitySpringwood Capital (UK) Limited
- ii.Emailinfo@springwood-capital.com
- iii.Postal address45 Berkeley Court, Marylebone Road, London, NW1 5NB, United Kingdom
Your right to complain to the ICO
You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK regulator for data protection matters, at ico.org.uk. We would, however, appreciate the chance to address your concerns before you approach the ICO, so please contact us in the first instance.
Changes to this notice
We keep this notice under regular review. The version date is shown in the rail above. It is important that the personal data we hold about you is accurate and current — please keep us informed if your details change during your relationship with us.
Categories of personal
data we hold
What we collect. And what we don't.
We may collect, use, store and transfer different categories of personal data about you, grouped as follows:
- D.01Identity DataFirst name, last name, title, date of birth (where required), nationality.
- D.02Employment DataEmployer, job title, professional role and the nature of your relationship with the client institution using our services (for example, director, signatory, MLRO, head of compliance).
- D.03Contact DataWork address, residential address (where provided), email address and telephone numbers.
- D.04Financial DataFor client billing only — bank account or payment card information.
- D.05Technical DataInternet Protocol (IP) address, browser type and version, time zone, location, browser plug-ins, operating system and platform.
- D.06Profile DataUsername, password (hashed), preferences, feedback and survey responses.
- D.07Usage DataInformation about how you use our website and platform.
- D.08Marketing & Communications DataYour preferences in receiving communications from us, and your communication settings.
Aggregated data
We also collect, use and share aggregated data (statistical or demographic data) for any purpose. Aggregated data may be derived from your personal data but is not personal data in law as it does not directly or indirectly reveal your identity. If we combine aggregated data with your personal data so that you can be identified, we treat the combined data as personal data under this notice.
Special category data
We do not knowingly collect any special category personal data about you (race or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health, genetic or biometric data) and we do not collect information about criminal convictions or offences in this controller capacity.
If you do not provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you or are trying to enter into with you, your business or your employer, and you fail to provide that data when requested, we may not be able to perform the contract. In that case, we may decline to provide the relevant service and will notify you at the time.
Three collection
routes
Three routes. Same record.
- i.Direct interactionsYou provide data by filling in forms or corresponding with us by post, phone, email or any other channel. This includes data you provide when you register an account, request a briefing or pilot, subscribe to publications, use our services, request information about our services, give feedback, or contact us for any reason.
- ii.Automated technologiesAs you interact with our website, we automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this through cookies, server logs and similar technologies. See our Cookie Policy for further details.
- iii.Third parties & public sourcesWe work with service providers, business partners, sub-contractors (technical and analytics), professional advisers and publicly available sources, and may receive and exchange information about you with them. Where you are introduced to us by your employer or business in connection with an application for or use of our services, we may receive information from them.
Lawful bases
and purposes
We only use data where
the law allows us to.
We will only use your personal data when the law allows us to. The lawful bases we rely on under Article 6 of the UK GDPR are:
- Performance of a contractWhere the processing is necessary for a contract we have with you, or to take steps at your request before entering into one.
- Legal & regulatory obligationsWhere we need to comply with a legal obligation under UK law (or, where applicable, EU law).
- Legitimate interestsWhere it is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests.
- ConsentIn limited circumstances, with your explicit consent — which you may withdraw at any time by contacting us.
The table below sets out the purposes for which we use your personal data, the data categories involved, and the lawful basis we rely on. We may rely on more than one lawful basis for a given purpose. Contact us if you need details of the specific basis being relied on for a particular activity.
| Ref. | Purpose / activity | Type of data | Lawful basis |
|---|---|---|---|
| P.01 | Register & evaluate | Registering you or your organisation as a Springwood prospect or client, evaluating enquiries and pilot requests. | Contract / pre-contract Legitimate interests Legal & regulatory |
| P.02 | Deliver services | Configuring the Springwood platform, providing access, training, support and ongoing operation under your client engagement. | Contract Legal & regulatory Legitimate interests |
| P.03 | Contact about services | Following up on incomplete registration, sending updates on platform changes and information you have requested. You may opt out at any time. | Legitimate interests Consent |
| P.04 | Improve our services | Analysing how you use the website and platform to gain insights and improve products, services and user experience. | Contract Legitimate interests Consent (where required) |
| P.05 | Customer support | Delivering account administration, investigating support requests, handling complaints and resolving disputes. | Contract Legal & regulatory Legitimate interests |
| P.06 | Marketing | Sending you information about Springwood products and related services where you have not opted out, and providing information about related products with explicit consent. | Consent Legitimate interests |
| P.07 | Protect business & site | Administering and protecting our business and website, troubleshooting, security, fraud prevention, testing, system maintenance and hosting. | Legitimate interests Legal & regulatory |
| P.08 | Analytics | Using data analytics to improve our website, products, services, marketing, customer relationships and user experience. | Legitimate interests Consent (where required) |
Marketing
We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need (we call this marketing). You will receive marketing communications from us if you have requested information from us, or are an existing client, and have not opted out.
Opting out
You can ask us to stop sending you marketing communications at any time by following the opt-out link in any marketing message we send you, or by emailing info@springwood-capital.com.
Cookies
You can set your browser to refuse all or some cookies, or to alert you when websites set or access cookies. If you disable cookies, please note that some parts of this website may become inaccessible or function incorrectly. See our Cookie Policy for further details.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis we are relying on. We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who we share
your data with
Disclosures, listed.
In order to deliver our services, your personal data may be shared with the following categories of recipient:
- i.Service providersActing as processors or controllers, based in the United Kingdom or the European Economic Area (EEA), who provide IT, cloud hosting, system administration, identity and authentication, customer-relationship management, analytics and communications services.
- ii.Professional advisersLawyers, accountants, auditors, insurers and consultants based in the United Kingdom and the European Union who provide legal, accounting, insurance, consultancy and audit services.
- iii.UK regulators & authoritiesHM Revenue & Customs, the Information Commissioner's Office, the Financial Conduct Authority (where applicable), and other UK regulatory or supervisory bodies.
- iv.Law enforcementLaw enforcement agencies, judicial bodies, government bodies and tax authorities, where we are required or permitted by law to share data.
- v.Corporate transactionsThird parties to whom we may choose to sell, transfer or merge parts of our business or our assets, or third parties whose business we may seek to acquire. If a change happens to our business, the new owners may use your personal data in the same way as set out in this notice.
- vi.Other permitted recipientsOther third parties where we are permitted by law to share your personal data, where it is in our legitimate interests or those of a third party, and not inconsistent with the purposes outlined above.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
How data moves
across borders
UK and EEA by default.
We take the security of your data seriously, and all personal data is kept according to strict safeguards in compliance with the UK GDPR, the Data Protection Act 2018, and the EU GDPR where applicable. Your data is stored on cloud servers within the UK and EEA.
We will only store or transfer your data outside the UK or EEA where one of the following applies:
- Adequacy decisionThe jurisdiction has been recognised by the UK government (or, where applicable, the European Commission) as providing an adequate level of protection for personal data.
- International Data Transfer AgreementWe have entered into the UK IDTA, the UK Addendum to the EU SCCs, or other appropriate safeguards approved under UK GDPR.
- Other lawful mechanismA derogation under Article 49 of the UK GDPR applies (for example, explicit consent or necessity for performance of a contract).
Please contact us if you want further information on the specific mechanism we use when transferring your personal data out of the UK or EEA.
Safeguards and
breach response
Limited access. Audited use.
We have put in place appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They process your personal data only on our instructions and are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (including, where required, the ICO within 72 hours) of a breach where we are legally required to do so.
How long we
retain data
As long as we need to. No longer.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint, or if we reasonably believe there is a prospect of litigation in respect of our relationship with you.
To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
We will keep basic information about our clients (including Contact, Identity, Financial and Transaction Data) for ten years after they cease being clients, to meet UK tax and statutory record-keeping requirements.
In some circumstances you can ask us to delete your data (see § 09 below). In other circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use this information indefinitely without further notice to you.
Rights you can
exercise
Eight rights, under UK GDPR.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
- R.01Right to be informedAbout what personal data we hold and how we use it — this notice fulfils that obligation.
- R.02Right of accessTo request a copy of the personal data we hold about you and to check that we are lawfully processing it (a "subject access request").
- R.03Right to rectificationTo have any incomplete or inaccurate data we hold about you corrected.
- R.04Right to erasureTo request deletion of your personal data where there is no good reason for us to continue processing it. We may not always be able to comply for specific legal reasons, which we will notify to you at the time.
- R.05Right to restrict processingTo request the suspension of processing — for example, to establish accuracy, where use is unlawful but you do not want erasure, or to defend legal claims.
- R.06Right to objectWhere we are relying on a legitimate interest, including the right to object to direct marketing at any time.
- R.07Right to data portabilityTo receive your personal data in a structured, commonly used, machine-readable format — applies only where processing is based on consent or contract and is automated.
- R.08Right to withdraw consentWhere we are relying on consent to process your personal data. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
To exercise any of the rights above, please email info@springwood-capital.com with "Data Subject Request" in the subject line, or write to us at 45 Berkeley Court, Marylebone Road, London, NW1 5NB, United Kingdom.
You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk. We would, however, appreciate the chance to address your concerns before you approach the ICO.
No fee usually required
You will not have to pay a fee to access your personal data or to exercise any of the other rights. We may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, repetitive or excessive — in line with the UK GDPR.
What we may need from you
We may request specific information from you to help us confirm your identity before processing a rights request. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Time limit to respond
We try to respond to all legitimate requests within one month. If your request is particularly complex, or you have made several requests, this period may be extended by up to two further months — we will notify you and keep you updated where this is the case.
Data subject request ▸ To exercise any of the rights above, email info@springwood-capital.com with "Data Subject Request" in the subject line, or write to the London address.