Privacy Policy

Introduction

We take your privacy seriously. This notice explains who we are, what personal data we collect, how and why we use it, who we share it with, your rights, and how to contact us or the Information Commissioner’s Office (ICO). We comply with the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA).

Who We Are

Waddington Financial Planning LTD is the data controller of the personal data we collect. We provide financial planning, financial advice, and intermediary product arrangement services to individuals and businesses. Our contact details are provided at the end of this notice. Our ICO Registration Number is: ZA559280

Personal Data We Collect

We may collect and process the following categories of personal data:

Information you provide to us:

· Contact details: title, name, address, personal/work email address, personal/work telephone number

· Financial and personal profile information relevant to financial planning

· Documentation provided for identity verification

· Information provided via forms, email, telephone or meetings

Information collected automatically

· When you visit our website, we automatically collect:

· IP address and approximate location

· Browser type and device identifiers

· Cookie data (including preferences, analytics and functional cookies)

· Usage information (pages viewed, links clicked, time spent, website behaviour)

Information received from third parties

Where relevant, we may receive data from:

· Product providers

· Credit reference agencies

· Anti‑fraud and financial crime databases

· Introducers or referral partners

When we receive personal data from third‑party sources, we ensure those sources are legally permitted to share it.

How We Use Your Personal Data

The table below identifies how we use your personal data and the lawful basis relied upon:

Recognised Legitimate Interests (DUAA 2025)

Where appropriate, we may rely on the “recognised legitimate interests” lawful basis for processing activities such as crime prevention, fraud investigation and prevention, safeguarding, regulatory cooperation, and responding to public‑authority data requests.

We document each decision and ensure proportionality, necessity and auditability, as required under the DUAA (2025).

Special Categories & Criminal‑Conviction Data

In limited circumstances, we may process information relating to criminal convictions or offences for the prevention, detection and investigation of financial crime.

Where we process this information, we rely on the following lawful basis:

· Legal obligation; and

· Schedule 1, Part 2, Paragraph 12 – Data Protection Act 2018 (Regulatory requirements relating to unlawful acts and dishonesty)

We maintain an Appropriate Policy Document (APD) as required by law.

Marketing Communications

We may contact you with information about our own products or services using the “soft opt‑in” basis permitted under the Privacy and Electronic Communications Regulations (PECR). This applies where we obtained your contact details while providing a service or discussing a potential service with you, and where our marketing relates to similar products or services that you may reasonably expect to hear about. You can opt out of receiving these communications at any time by using the unsubscribe link in our emails or by contacting us directly. We will not share your details with third parties for their own marketing purposes without your explicit consent.

You can opt out at any time by:

· Emailing: dataprotection@corbelpartners.co.uk

· Clicking “Unsubscribe” in email marketing

· Contacting us using the details provided below

· We do not sell your data.

We may use third‑party service providers for email distribution or analytics; these providers act strictly under our instructions.

Cookies and Tracking Technologies

Our website uses cookies to support essential functions, analyse usage and improve experience. We rely on consent for non‑essential cookies. Under DUAA reforms, limited exemptions apply (e.g., security‑related cookies).

Our separate Cookie Policy provides detailed information about the types of cookies used, retention periods and consent-withdrawal options.

Mandatory Information You Must Provide

We will tell you when certain information is optional.
In most cases, we require your personal data to:

· Provide our services

· Comply with regulatory obligations

· Verify your identity

Where information is optional, we will request your consent before processing it.

How Long We Keep Your Personal Data

We retain your personal data only as long as necessary for the purposes explained in this notice:

· Financial advice and product arrangement records: typically retained for a minimum of 6 years, or longer where required by FCA rules

· ID verification: typically retained for 5 years

· Marketing data: retained until you withdraw consent or after a period of inactivity

· Financial‑crime prevention data: retained according to regulatory requirements

· Complaint‑related data: retained until all matters are fully resolved and limitation periods have expired

When data is no longer required, we delete or anonymise it. If immediate deletion is not possible, we securely store it until deletion can occur.

International Data Transfers

We may transfer personal data outside the UK only where:

· The destination country is subject to a UK adequacy regulation; or

· We have implemented appropriate safeguards such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or

· A permitted derogation applies

We ensure equivalent protection for your data when transferred internationally.

Automated Decision‑Making & Profiling

We do not use solely automated decision-making that produces legal or similarly significant effects.

Profiling may be used for:

· Product suitability

· Customer segmentation

· Fraud indicators

Where profiling is used, it does not produce legal effects. You may request human involvement or object at any time.

Your Rights

You have the following rights under UK data protection law:

· Access your personal data

· Correct inaccurate or incomplete data

· Request deletion

· Object to processing

· Restrict processing

· Data portability

· Withdraw consent at any time (where processing is based on consent)

· Complain to the ICO

We respond to all rights requests within the 1 month statutory timeframes.

Keeping Your Personal Data Secure

We use appropriate technical and organisational measures to protect your personal data, including:

· Access controls

· Encryption and secure servers

· Staff confidentiality obligations

· Monitoring and incident‑response procedures

If a data breach occurs that may pose a risk to your rights and freedoms, we will notify you and the ICO.

Complaints Process

We operate a formal internal data protection complaints process. If you have concerns, please contact us first so we can address. If they remain unresolved you can escalate your complaint to the ICO.

Our Supervisory Authority

If you are unhappy with how we process your personal data, you have the right to complain to:

Information Commissioner’s Office (ICO)

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Tel: 0303 123 1113

Website: https://ico.org.uk/make-a-complaint

We ask that you contact us first so we can attempt to resolve the issue.

How to Contact Us

If you wish to exercise your rights or have questions about this notice, please contact: