Who do we share personal data with?
Internal Recipients
Although we control your personal data, we may share it with other entities within the Shares Group. These include, but are not limited tom the following EEA entities:
- Shares SAS
- Shares Poland Support Services Sp. z o.o.
We share data within the Shares Group as our entities rely on each other to provide our Services.
External Recipients
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. Third-party data processors can’t use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our written instructions.
- Third Party Service Providers. These include IT and cloud service providers, third party software and platform providers, vendors, compliance partners (including identity verifiers and performers of relevant checks), analytics services providers, advertising affiliates, card payment service providers (Checkout Ltd), open banking providers (Plaid), execution brokers (Alpaca Securities LLC) and Shares’ electronic money account provider (Modulr FS Limited).
- Regulators and Authorities. These include regulatory bodies, such as the UK’s Financial Conduct Authority and Information Commissioner’s Office, authorities including tax authorities and the National Crime Agency (NCA), as well as other formal bodies who we must engage / report to.
- Professional advisers. These including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
If we choose to sell, transfer or merge parts of our business or our assets, we’ll share your personal data with the new owners of our business, who may use your personal data in the same way set out in this privacy policy.
Do we transfer your data internationally?
We may transfer your data outside the UK or the European Economic Area (EEA).
Whenever we transfer your personal data out of the UK or the EEA, we make sure it’s given a similar degree of protection by guaranteeing at least one of the following safeguards is implemented:
- We’ll only transfer your personal data to countries that provide an adequate level of protection for personal data by the European Commission
- We’ll make sure that appropriate contractual protections are in place with third parties that we share personal data with outside of the EEA & UK (as approved by the European Commission or the UK Information Commissioner’s Office where relevant)
How long do we retain personal data for?
We’ll only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes. In this case, we may use this information indefinitely without giving you further notice.
What rights do you have over your personal data?
In certain circumstances, you have the right under data protection law to:
- Request access to your personal data. This is the right to access and receive a copy of your personal data and other supplementary information. This right is not absolute and may be subject to certain limitations and exemptions.
- Request correction of your personal data. This is where we’ll rectify inaccurate or incorrect data we process about you.
- Request erasure of your personal data. This is the right to request the erasure of your personal data. This right is not absolute and may be subject to certain limitations, depending on our lawful basis for processing your personal data.
- Object to our processing of your personal data. This is only an absolute right when related to direct marketing. For all other data processing, you can object. We‘ll then review and process your request subject to relevant limitations, such as the lawful basis for processing your personal data in the first instance.
- Request restriction of processing your personal data. This is not an absolute right. Where you have a particular reason for requesting that we restrict our processing of your data, you can request to do so. This may limit the way we use your personal data.
- Request transfer of your personal data. This is the right to data portability; it allows individuals to obtain and reuse their personal data for their own purposes across different services.
- Right to withdraw consent. Where you have provided your consent for us to process your personal data, you have the right to withdraw such consent.
- Right to object to solely automated decision-making and profiling that produces legal or similar effects. This right is not relevant to Shares users as we do not presently participate in data processing that is solely automated and makes decisions which have a legal (or similar) effect.
Should you wish to make such a request, you can do so by messaging us in the ‘Support’ section of the Shares app or emailing us at privacyrequests@shares.io . You can also opt out of direct marketing by clicking unsubscribe at the bottom of any marketing email.
Generally, you don’t have to pay a fee to exercise any of these rights, and we'll confirm completion of your request within one calendar month.
However, we may charge a reasonable fee or extend our timeline for responding in cases where a request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We’ll always notify you in the event this occurs.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us or our DPO in the first instance.
Our Data Protection Officer
In accordance with data protection legislation, Shares has appointed a Data Protection Officer (DPO). You can contact our DPO in a number of ways:
- In writing. FAO: The DPO, Shares App Limited, 6 Ramillies Street, London, England, W1F 7TY, United Kingdom.
- By email. DPO@shares.io
The DPO is there to assist data subjects generally. However, the most efficient way to exercise your rights under data protection legislation is by emailing privacyrequests@shares.io
Glossary
Personal Data
Personal data, or personal information, means any information about an individual which could identify that person. It does not include data where the identity has been removed (anonymous data).
Data Subject
An identified or identifiable living individual to whom personal data relates.
Data Controller
Controllers are the main decision-makers of personal data processing. They have overall control for the purposes and means of processing personal data.
Lawful Basis
For every processing activity we take part in, we must have a valid lawful basis to do so. The following are considered lawful bases under applicable data protection legislation:
- Consent
- Legitimate Interest
- Contract
- Legal Obligation
- Vital Interests
- Public Interest
- Consent. An unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.
- Legitimate Interest. If the processing is in the legitimate interests of Shares and the data subject’s interests / expectations do not override our legitimate interests, this lawful basis can be relied on. An assessment must be performed to identify whether this is an appropriate lawful basis.
- Contract. Data can be processed if the data is necessary to perform a contract with the data subject.
- Legal Obligation. If processing personal data is required to comply with a common law or statutory obligation under UK or EU law, then this is considered a lawful basis.
- Vital Interests. If the data processing is in the Vital Interests of the data subject, then this is a lawful basis. If it’s possible to protect the person’s vital interests in an alternative and less intrusive way, then this basis doesn’t apply.
- Public Interest. If processing personal data is required ‘in the exercise of official duty’ or to perform a specific task in the public interest that is set out in law, then this is a lawful basis.
As detailed in Section 7 of the Privacy Policy, data subjects have rights over their personal data. These rights aren’t always absolute, meaning they sometimes depend on which lawful basis a data controller relies on to process the data. The ICO has included a table of how some lawful bases and rights interact here.
Pseudonymisation
Pseudonymisation is the processing of personal data in a way that it can no longer be attributed to a specific data subject without the use of additional information. This is provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person
Anonymisation
Data can be considered 'anonymised' when individuals are no longer identifiable. If data is ‘fully 'anonymised', it doesn’t qualify as personal data.