Privacy Statement

Privacy statement
The security of your data is really important to us. 
You can find out more about how we protect and use data here.



We constantly review how we use and store information. You can find out how we use data and learn more about your rights in our Privacy Statement below. This document was last updated on 20th October 2023. 

Grab a fresh coffee, and find somewhere comfortable to sit as this is quite a detailed document, as you would expect for such an important issue. 
If you prefer, you are welcome to give us a call and we would be happy to chat it through with you and address any concerns or requirements you may have. 
The number to use is 02920 890444.
 1. What this Privacy Policy covers 

This is the Privacy Policy for Heron Wealth Management Limited (referred to in this policy as "we", "us" or "our"), which is a financial services business whose main purpose is to advise and support its clients on pension, investment, life cover and other employee benefits matters.

Heron Wealth Management Limited is a Private Limited Company, operating under the law of England and Wales. Companies House Registration Number 05360438. We are registered with the Information Commissioner under Z9000387, Heron’s data controller is Kenneth Burfitt. Ken is a Director and major shareholder in the business. It also has a trading name "Buylifecoveronline.co.uk" 
 
If you have any questions about this privacy statement you are invited to contact us using the following details. 

• Heron Wealth Management Limited, 2 Alexandra Gate, Ffordd Pengam, Cardiff, CF24 2SA
• Direct line - 02920 890444
• Email - compliance@heronwm.co.uk

Heron Wealth Management Limited is authorised and regulated by the Financial Conduct Authority. It provides "restricted" financial advice to clients. Restricted in this context means that it is not obliged to review products from the whole of the available market before making a recommendation and instead can offer products or funds from a more restricted list of suppliers. 

To ensure that of our clients' requirements are catered for to the best of our ability, we maintain strong links with a "Whole of Market" IFA firm called  Priscum Limited. Priscum Ltd is authorised and regulated by the Financial Conduct Authority. It offers products from the whole market. Priscum Limited has its own separate Privacy Statement which can be accessed on the following this link. www.priscum.com.

Whilst Heron Wealth Management Limited and Priscum Limited are separate legal entities, you are encouraged to read the privacy Statements of both businesses for completeness if you require a whole of market solution.

We are committed to putting the needs of our clients first and being transparent on how we collect, use and protect your personal information. We want you to be confident that the personal information you give us is safe and secure with us and to be able understand how we use it to facilitate the services we offer to you. Please let us know if you need information provided to you in a more accessible format and we will do what we can to ensure that you can access our services (whether online or in person) in a way that best fits your needs.

This Privacy Policy explains:

• the personal information we collect;
• how and why we collect and use your personal information; 
• why we process your personal information;
• when and why we will disclose your personal information to other organisations;
• the rights and choices you have when it comes to your personal information; 
• the steps we take to ensure your information is kept secure and confidential; 
• how long we will hold your information for; and
• how to contact us.

2. Personal information we collect

In order to carry out work for our clients, we ask that they provide us with sufficient information to enable us to be properly informed of the circumstances surrounding their project or appointment. “Clients” for this purpose may be a one or more of the following entities including, but not limited to companies, individual(s), families, partnerships, statutory organisations, charities or Boards of Trustees. 

We carry out a wide variety of projects for our clients. Depending on the nature of the client and the work you/they are appointing us to undertake, the information collected may be quite wide-ranging, and can include details of any current, prospective or past pension scheme or plan, group pension or life assurance plan, personal insurance, life assurance or other group Personal Health Insurance or Medical Insurance scheme you are asking us to review, consult on or operate for you. This list is not exhaustive. 

We always seek to limit the amount of information collected as far as possible, to that which is necessary to carry out the engagement or project.

The information we collect may include (but is not limited to):

• Personal details, including without limitation, name, postal and billing addresses, email addresses, phone numbers, date of birth, title, marital status, National Insurance number, dependents, employment status, income and primary bank.
• If you have asked us to assist you with an insured death or health benefit, or succession planning, we may hold high level information on your health and that of your family, but only to the extent that you have directly supplied to us with that information, and only where directly relevant to the work that you have asked us to undertake for you.
• Financial information including contribution history, debt, liabilities and loans, and may include salary and tax information, details of shareholdings, savings and investments (including insurances). 
• Attitude to risk and capacity to accept any losses as relevant to the ascertaining the suitability of any investment, project or benefit. 
• Information on professional appointments and qualifications as well as the degree of control an individual or body has over any business and their permission to commit an organisation/Trustees to a particular course of action. For Anti Money-Laundering purposes, we may screen for information on politically exposed persons using professional data services.
• We may also hold and process information on Director Disqualifications and Bankruptcies as well as high level company and accounts information as recorded at Companies House.
• Detailed information about the pension and benefits schemes which you are a member/sponsor of, or act as a Trustee of, including sufficient information for us to carry out the work you have asked us to undertake including (but not limited to) Trust Deed and rules, accounts, membership data, contracts for suppliers of services and benefit entitlement information, and minutes of meetings. Where necessary, this may include high level information about dependents.

3. How we collect and use your personal information

Information may be provided to us in many ways (including written information such as copies of documents), but also via conversations which we record (by written notes, or electronically with your permission), by other electronic means such as exchange of emails with enclosures. 

It may also be explicitly provided by you completing “fact-find” documents we or others supply to you.

We may also obtain and retain publicly available information from the Internet such as Companies House Web-check data, company accounts and background information on your company.

The actual use and quantity of information sought and processed will vary greatly depending on the work you have asked us to undertake, and we are happy to discuss this with you in sufficient detail for you to be comfortable about our approach before you engage us.We do not wish to retain any more information than is necessary to fulfil the role you have engaged us to complete for you.

For all prospective clients, before starting work on a project or appointment, and periodically thereafter, we will need to verify your identity and that of any body you represent for Anti Money-Laundering Purposes. This may include taking a copy of your passport of Photocard Driving License etc. or be done electronically. We use an external service called Veryphy. More information on this service is available on their website www.veriphy.com

4. Why do we process your personal information?

We process data so that we can properly undertake such projects or appointment you have engaged us to undertake for you.

We will only collect and use your personal information (as described in sections 2 and 3) in accordance with data protection laws. We must also have a legal basis (gateway) before we are permitted to collect or process your personal data. Processing personal data includes recording, storing, altering, using, sharing or deleting data. We only need one of these “gateways” and for our purposes they are – 

• You consent.- Consent may be requested in certain cases, e.g. to obtain a reference for a new employee, but generally we do not rely on your consent to process your personal data. 
• To perform our contract with you - so that we can carry out our responsibilities as outlined in our engagement letter.
• Compliance by us with a statutory or other legal obligation - We may process your information without your knowledge where this is required or permitted by law, for example to comply with Anti-Money Laundering regulations.  
• Where this is in your vital interests - for example, if there is a life-threatening situation, or you are incapacitated, or in respect of a death claim from an insurance policy.
• Where we are pursuing our own legitimate interests or those of a third party - This would be for the efficient operation of our business and those we routinely work with. This will not apply if our interests are overridden by your interests or your fundamental rights and freedoms. We must carry out a balancing exercise therefore to decide whether we can rely on this gateway to ensure that it applies.  

From May 2018, you have a right to object to our use of your personal information for these legitimate interests.

Any data must be processed by us fairly and openly.  

5. Use of children's personal information and personal health information – sensitive data

We do not knowingly collect or store any personal information about children under the age of 18, except where parents or guardians have provided this information to us directly, and then, only where it is directly relevant to a particular project we have been asked to undertake. This would usually only be necessary where you ask us to undertake a project where dependents rights or needs should be considered. Where this is the case, enhanced protection applies to such data, and its use/retention is kept to an absolute bare minimum. This also applies to health information. 
These are known as Sensitive categories of data.

6. Sharing your personal information with others.

Any of your personal information, including contact details, gathered while operating our business shall not be sold to third parties for the purposes of unsolicited communications.

7. Disclosure of your personal information to other organisations

The personal information that we collect when you provide it to us is confidential. We may however disclose your personal information to a third party/service provider/statutory body or similar, to comply with relevant legislation and/or enable us to fulfil our contract or agreement with you.    

These organisations include:

• Priscum Limited, with whom we work closely and share staff;
• Credit reference agencies;
• Insurance companies or other businesses we need to approach for information or new business illustrations or quotations directly relevant to the work we have been engaged to undertake.  
• If required or permitted to do so by law; 
• If required to do so by any court, the Financial Conduct Authority or any other applicable regulatory, compliance, governmental or law enforcement agency;
• If necessary in connection with law enforcement, legal proceedings or potential legal proceedings;

 8. How you can change permissions

Your privacy is of huge importance to us. We don’t generally mass market, but on the rare occasions where we need to mail you, any marketing emails or other forms of bulk communication directly from us to you will include clear instructions on how to unsubscribe. 

If you don't want to be contacted by us anymore or wish to restrict our use of your data you can email us at compliance@heronwm.co.uk. 

Please note that if you do not allow us to process your data it may mean that we are no longer able to act for you. If that is the case we will either engage with you to either find a workable solution or formally resign the engagement depending on the circumstances..

Section 9 below also sets out your other information rights.

9. Your information rights and responsibilities 

if you request it in writing, you will have the following rights:

• Right to correct: the right to have your personal information rectified if it is inaccurate or incomplete;
• Right to erase: the right to request that we delete or remove your personal information from our systems; We do not have to comply with a request to erase your personal information if we need to use that personal information for our overriding legitimate business interests or as may otherwise be required by law. We may not be able to provide our products or services to you if you ask us to erase your personal information.
• Right to restrict our use of your information: the right to 'block' us from using your personal information or limit the way in which we can use it;
• Right to data portability: the right to request that we move, copy or transfer your personal information; 
• Right to object: the right to object to our use of your personal information including where we use it for our legitimate interests, or where we use your personal information to carry out profiling to inform our market research and user demographics. If you raise an objection we will stop processing your personal information unless very exceptional circumstances apply, in which case we will let you know why we're continuing to process your personal information.
We will use reasonable efforts consistent with our legal duty to provide you with your rights in accordance with data protection legislation. 

9.1 To make enquiries, exercise any of your rights set out in this Privacy Policy and/or make a complaint to compliance@heronwm.co.uk

9.2 If you're not satisfied with the way any complaint you make in relation to your personal information is handled by us then you may be able to refer your complaint to the relevant data protection regulator. In the UK, this is the Information Commissioner's Office. 

Additionally, you have the right to lodge a complaint with the Supervisory Authority who is –

Information Commissioner
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

www.ico.org.uk
 
10. Keeping information about you secure is very important to us, so we store and process your personal information in accordance with the high standards required under data protection legislation. 

Our suppliers’ servers are based in the UK and we only use high quality, “cloud based” data storage solutions and systems from major suppliers. 
 
All Laptops and Computer hard drives are password protected and encrypted and have high quality Anti-Virus software set to regularly update automatically. All computer equipment which are taken outside our premises are capable of being remotely erased if stolen or lost and is Bitlocker encrypted. 

Laptops are rarely used outside the office or home base and when used remotely, they are not permitted to hold more client data than is essentially required for meetings on that particular day.

Our business dealings with you may include liaison with third party service providers (such as insurance companies) which operate outside the EEA. Different countries have different data protection and security laws and some of these do not offer the same level of protection as you enjoy under UK data protection legislation. Whenever you engage with other businesses, such as insurance companies and investment businesses, you should check their Privacy Statements for details of how they store data before you instruct us to work with them/pass them your data.

We do our best to keep the information you disclose to us secure. However, we can't guarantee its security. By using our services, you accept the inherent risks of providing information online and agree that you will not hold us responsible for any third party breach of security.

11. How long do we keep your personal information?

Unless a longer retention period is required or permitted by law, we will only hold your personal information on our systems for the period necessary to fulfil the purposes outlined in this Privacy Policy or until you request it is deleted. 
For most projects (except where conflicting regulations require a longer retention period) this means we will retain your data for five years after the end of our project or engagement.

If, having registered for any of our services, you do not use them for a reasonable time (which may vary depending on the service(s) you've registered for) we may contact you to ensure you're still happy to receive communications from us. 

Even if we delete your personal information, it may persist for a longer period on back-up or archival media for legal, tax or regulatory purposes. 

12. How to contact us

If you have any queries relating to our use of your personal information or any other related data protection questions, please feel free to contact us at compliance@heronwm.co.uk.

13. Changes

This policy was last reviewed and amended on 20th October 2023.

We may, from time to time, make changes to this Privacy Policy to reflect any changes to our privacy practices in accordance with changes to legislation, best practice or developments in the way we operate. We will let you know what these changes are by posting the new privacy notice on www.heronwm.co.uk. 

Where the changes are significant, we may also choose to email you with the new details and ask for your consent to make these changes where this is required by law. 

It is your responsibility as a user to make sure that you are aware of changes posted on this page, by checking for any changes on a regular basis. Unless stipulated by law, any changes posted on this page will become effective as soon as they are posted.



Share by: