Privacy Notice

Introduction

We are committed to protecting your privacy when dealing with your personal information as data controller. This Privacy Policy sets out details of the information that we may collect from you and how we may use that information.

Please read this Privacy Policy carefully. When using our website (the "Website"), this Privacy Policy should be read alongside, and in addition to, the Website terms and conditions.

This policy was last updated in February 2023.

About us

In this Privacy Policy references to "we" or "us" or “GIM” or "Gatehouse Investment Management" has a registered office at The Helicon One South Place, London EC2M 2RB.

Gatehouse Investment Management is the data controller of your personal information in relation to the processing activities described below.

Our processing of your personal information

We will only collect information in line with relevant law and regulations. We will collect information about you when you interact with us, e.g. visit our website, work and contract with us, or call us.

Where you provide personal information to us about other individuals we will also be data controller of their personal information. You should refer them to this notice before supplying us with their data on their behalf.

The information we collect may include:

Contact - Your name, address, email address, landline and mobile numbers (which we’ll update with any changes you make)

Financial – information that may be needed about your or your organisation’s finances for regulatory or transactional due diligence, compliance checks, payments into your rent account, credit history and bank account details

Communications - Information that you give us by filling forms, or by communicating with us, whether face to face, by phone, email, or otherwise

Documentary Data - This could include documents like your photo ID, passport information, National Insurance number, National ID card, driver’s licence

Marketing and sales information - Details of services you receive and your preferences

Risk rating information - Information from Credit Reference agencies for Credit risk rating, underwriting information

Investigation data - Information that we need to support our regulatory obligations, e.g. due diligence checks, sanctions and anti-money laundering checks, external intelligence report, information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities.

How will we collect your personal information?

Information that you provide to us, e.g.

• personal details: e.g. name, date and place of birth;
• contact details: e.g. address, email address, mobile and landline numbers
• information relating to your identity: e.g. passport, National id, National insurance number
• information that you give us by filling out forms or by communicating with us, whether face- to-face, by phone, email, or otherwise;

Information we collect or generate about you, e.g.

• information we use to identify and authenticate you;
• marketing and sales information: e.g. details of services you receive, your preferences;
• cookies to deliver content specific to your interests, and for other purposes, your IP address, the pages you visit within our site.
• risk rating information: e.g. credit risk;
• records of correspondence between us, e.g. emails;
• information that we need to support our regulatory obligations, e.g. information about transaction details, detection of any suspicious activity.

Information we collect from other sources, e.g.:

• from Credit Reference Agencies such as Equifax;
• public information sources such as Electoral register or Companies House;
• from your employer, solicitor or trustees;
• third party investors or organisations involved in raising capital;

What will we use your personal information for?

• We may use your personal information for a number of different purposes. In each case, we must have a "legal ground" to do so. We will rely on the following “legal grounds”, when we process your "personal information":
• We need to use your personal information to enter into or perform the services that we provide to you or your business or employer. For example, we need to use your personal information to set you up on our systems and communicate with you.
• We have a legal or regulatory obligation to process such personal information. For example, our regulators require us to make certain checks and hold certain records of our dealings with you or your business or employer. These include verifying your identity and the source of your funds.
• We need to use your personal information for a justifiable purpose (e.g. to keep a record of the decisions we make when different types of applications are made, to keep business records, to carry out strategic business analysis, review our business planning and to develop and improve our products and services). When using your personal information for these purposes, we will always consider your rights and interests and ensure that your right to privacy is taken into consideration and that we have justifiable reasons for using the personal information in that way.

When the information that we process is classed as “special categories of personal information", we must have an additional “legal ground". We will rely on the following legal grounds when we process your "special categories of personal information":

• We need to use such special categories of personal information to comply with our regulatory requirements to investigate any potential unlawful act or dishonesty, malpractice, money laundering or other seriously improper conduct.
• We need to use such special categories of personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party brings.
• You have provided your consent to our use of your special categories of personal information. This may be because you have a specific health condition and wish us to know about it in our dealings with you.
• Further detail on these legal grounds are provided below.

Processing activity, To provide our services to you. : Our reason Administer our services to you Legal Ground We will do this in order to perform our contract with you

Processing activity, To provide our property management services to you, your business or employer our reason, We will use your information to enable the provision and function of our services in line with regulation, laws and customer rights and interests, e.g. complaints management and exit management. Legal Ground The lawful reasons for processing these are legitimate interest.

Processing activity To prevent and detect crime including, e.g. fraud, terrorist financing and money laundering. Our reason, This will include monitoring, mitigation and risk management, carrying out customer due diligence, name screening, and customer risk identification. We may share your information with relevant agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. For further information on our use of fraud agencies please see below. Legal Ground We do this to comply with our legal and regulatory obligations. This may include special categories of personal data to comply with our regulatory requirements to investigate potential unlawful acts or dishonesty, malpractice or other seriously improper conduct.

Processing activity Risk management, Our reason We will use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk, operational risk.
For further information on our use of credit reference agencies see below. Legal Ground We will do this because we have a legitimate interest in ensuring that we carry out a proper risk assessment prior to providing some services.

Processing activity, Protecting our legal rights. Our reason, We may need to use your information to protect our legal rights, e.g. in the case of defending or the protection of legal rights and interests (e.g. enforcing
or protecting our security or defending rights of intellectual property); court action; managing complaints or disputes. This may be in connection with action taken against you or other persons,. Legal Ground We would do this on the basis that it’s in our legitimate interest or for the purposes of defending legal claims.

Profiling and Automated Decision Making

We will not undertake any automated decision making using your personal data.

Who we might share your information with

• We may share your information with others where lawful to do so including where we or they:
• need to in order to provide you with services you’ve requested, e.g. property management services;
• have a legal or regulatory duty to do so, e.g. to assist with detecting and preventing fraud, tax evasion and financial crime;
• need to in connection with regulatory reporting, litigation or asserting or defending legal rights and interests;
• have a legitimate business reason for doing so, e.g. to manage risk, verify your identity, or assess your suitability for tenancies and services;
• have asked you for your permission to share it, and you’ve agreed.

We may share your information for these purposes with others including:

• sub-contractors, agents or service providers who work for us or provide services to us;
• anybody else that we’ve been instructed to share your information with;
• tax authorities, credit reference agencies, payment service providers and debt recovery agents;
• any people or companies where required in connection with potential or actual corporate restructuring, merger, acquisition, or takeover, including any transfer or potential transfer of any of our rights or duties under our agreement with you;
• law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
• other parties involved in any disputes;
• fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity;
• anyone who provides instructions or operates any of your accounts on your behalf, e.g. Power of Attorney, solicitors, etc;
  

How long do we keep personal information for?

We will keep your personal information for as long as reasonably necessary to comply with our legal and regulatory requirements or use it for our legitimate purposes such as managing your account and dealing with any disputes or concerns that may arise.

We have a detailed retention policy in place which governs how long we will hold different types of information for. The exact time period will depend on your relationship with us and the type of personal information. Indicative retention period is 6 years after the end of any contract.

What is our approach to sending your personal information overseas?

All personal data you provide to us is stored and handled in the UK.

If at any time we transfer your personal information to, or store it in, countries located outside of the UK/EEA (for example, if our hosting services provider changes) we will ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law. This is because some countries outside of the UK/EEA do not have adequate data protection laws equivalent to those in the UK/EEA.

Your rights

You have a number of rights in relation to the information that we hold about you which we set out below. These rights might not apply in every circumstances. You can exercise your rights by contacting us at any time using the details set out in section 9. We will not usually charge you in relation to a request.

Please note that although we take your rights seriously, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn't comply with our own legal or regulatory requirements. In these instances we will let you know why we cannot comply with your request.

In some circumstances, complying with your request may result in your product being cancelled. For example, if you request erasure of your personal information, we would not have the information required to administer your product. We will inform you of this at the time you make a request.

• The right to access your personal information: You are entitled to details about the personal information we hold about you and certain details of how we use it.

We will usually provide the details to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

• The right to rectification: We always take care to ensure that the information we hold about you is accurate and where necessary up to date. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.

• The right to restriction of processing: In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information.

• The right to withdraw your consent: Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information.

Please note that for some purposes, we need your consent in order to provide your services. If you withdraw your consent, we may need to cancel your services. We will advise you of this at the point you seek to withdraw your consent.

• The right to erasure: This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdrawn consent.

Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example we may be unable to erase your information as you have requested because we have a regulatory obligation to keep it.

• The right to data portability: In certain circumstances, you can request that we transfer personal information that you have provided to us to a third party. This is where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file.

• The right to make a complaint with the Regulator: You have a right to complain to the Information Commissioner's Office (ICO) if you believe that we have breached data protection laws when using your personal information.

You can visit the ICO's website at https://ico.org.uk/ for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.

You can exercise your rights by contacting us using the details set out in the ‘Contacting us’ section below.

Our use of Fraud Prevention Agencies

We may carry out checks with fraud prevention agencies for the purposes of preventing fraud and money laundering, and to verify your identity before we provide some services to you. These checks require us to process personal information about you.

The personal information you provide or which we’ve collected from you, or received from third parties, will be used to carry out these checks in order to prevent fraud and money laundering, and to verify your identity.

We’ll process personal information such as your name, address, date of birth, contact details, financial information, and employment details, device identifiers including IP address and vehicle details and employment details.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify your identity. This enables us to protect our business and to comply with laws that apply to us. This processing is also a contractual requirement of any of our products or services you use.

Fraud prevention agencies can hold your personal data for different periods of time. If they’re concerned about a possible fraud or money laundering risk, your data can be held by them for up to six years.

Consequences of Processing

If we, or a fraud prevention agency, have reason to believe there’s a fraud or money laundering risk, we may refuse to provide the services requested. We may also stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services or employment to you. The information we hold about you could make it easier or harder for you to get credit in the future.

To find out more about fraud prevention agencies and how they manage your information, please visit https://www.cifas.org.uk/privacy-notice.

How do we protect your information?

We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our website and any transmission is at your own risk. Once we have received your personal information, we put in place reasonable and appropriate controls to ensure that it remains secure against accidental or unlawful destruction, loss, alteration, or unauthorised access.

Our website may contain links to other websites run by other organisations. This policy does not apply to those other websites‚ so we encourage you to read their privacy statements. We cannot be responsible for the privacy policies and practices of other websites even if you access them using links that we provide. In addition, if you linked to our website from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.

What we need from you

You’re responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible. If you provide information for another person (e.g. a joint account holder, a beneficiary under an insurance policy or a dependant), you’ll need to direct them to this notice.

Contacting us

If you would like further information about any of the matters in this notice or if have any other questions about how we collect, store or use your personal information, you may contact our Data Protection Officer at our holding company by e-mailing us at privacy@gatehousebank.com.

Updates to this notice

From time to time we may need to make changes to this notice, for example, as the result of changes to law, technologies, or other developments.