Privacy Notice

1. About Sidekick

For the purposes of this Privacy Notice, Sidekick Money Ltd (Sidekick) of 6-7 St. Cross Street, London, England, EC1N 8UB is the Data Controller of your personal information.

Sidekick Money Ltd is registered with the Information Commissioner's Office (ICO) under registration number ZB565251.

Personal data is processed in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

Sidekick has appointed a Data Protection Officer (DPO) who is responsible for overseeing questions about this Privacy Notice and for handling requests to exercise your legal rights. You can contact our DPO:

• By email: compliance@sidekickmoney.com
• By post: Data Protection Officer, Sidekick Money Ltd, 6-7 St. Cross Street, London, England, EC1N 8UB

We will respond to all queries within one month.

2. Why we have a Privacy Notice

Sidekick is committed to protecting the privacy of everyone who uses our services and to being open and transparent about how we use personal data.

This Privacy Notice sets out the personal information we collect from you, what we do with it, how we keep it secure, and the rights and choices you have in relation to it.

3. Other relevant policies and terms

This Privacy Notice should be read alongside Sidekick's Website Terms of Use and Cookie Policy:

• Terms of Use: https://app.termly.io/policy-viewer/policy.html?policyUUID=986ce345-c5f4-417a-b079-a528d63dab44
• Cookie Policy: https://app.termly.io/policy-viewer/policy.html?policyUUID=f1c935da-4c52-4682-b371-0b4f6210de61

4. Information Sidekick may collect

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We will collect and process some or all of the following personal information about you.

4.1 Information you give us

During the course of creating and managing a Sidekick account or using any Sidekick service, the information you provide may include:

(a) identity data such as your full name, date of birth, postal address, national insurance number and copies of identity documents including passport or driving licence;

(b) contact data such as your email address, phone number and communication preferences;

(c) financial data such as your bank account details, transaction history, income and expenditure information and creditworthiness information;

(d) biometric data where you use facial recognition technology as part of our identity verification process;

(e) employment and income information provided as part of an application for our services;

(f) any other information you provide when you contact us, respond to a survey, use our live chat function or otherwise interact with us.

Biometric data is special category personal data under UK GDPR and is subject to additional safeguards. Further details of how we process this data and the basis on which we do so are set out in section 7(b).

4.2 Information we collect automatically

When you use our website or application, we automatically collect:

(a) technical data such as your IP address, device type, operating system, browser type and unique device identifiers;

(b) usage data such as how you interact with our application and which features you use, collected through cookies and similar technologies;

(c) location data where you have granted permission via your device settings.

4.3 Information we collect from third parties

We may also receive information about you from:

(a) credit reference agencies, including information about your financial history and creditworthiness;

(b) identity verification, fraud prevention and sanctions screening services;

(c) public databases and watchlists;

(d) open banking providers, where you have authorised a connection to your bank account.

5. Links to other websites

Our website and application may contain links to third party websites. Those websites have their own privacy policies and we do not accept any responsibility for them. Please review their privacy policies before submitting any personal information to those sites.

6. If you fail to provide personal data

Where we need to collect personal data by law or under the terms of a contract with you, and you fail to provide it when requested, we may be unable to provide you with some or all of our services.

7. What we do with your information

We only use your personal data when the law allows us to. The main purposes for which we process your personal data are set out below, together with the lawful basis we rely on in each case.

(a) To create and manage your account and provide you with the services you have signed up for, including our savings and investment products. We process your data under the lawful basis of contract performance.

(b) To verify your identity during onboarding, including through the use of facial recognition technology provided by our identity verification partner, Entrust. Where this involves biometric data, we process it under the lawful bases of legitimate interests and explicit consent, in line with our obligations under Article 9 of the UK GDPR.

(c) To assess your creditworthiness and product suitability, including by sharing your information with credit reference agencies. We do this under the lawful bases of contract performance and legitimate interests. Further information on how credit reference agencies use your data is available at www.transunion.co.uk/crain.

(d) To prevent and detect financial crime, including fraud and money laundering, by sharing your information with fraud prevention agencies, sanctions screening services and identity verification providers. The personal information we collect may be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services. We process your data under the lawful bases of legal obligation and substantial public interest (fraud prevention).

(e) Where we use third party AI service providers to power these features, they act as data processors on our behalf and process data only on our instructions. Before data is shared with any AI service provider, we remove directly identifying personal information to minimise the data involved. Your personal data is not used by our AI service providers to train their AI models. Where an AI service provider processes data outside the UK, this transfer is protected by Standard Contractual Clauses recognised under UK data protection law.

Our AI features are powered by Anthropic. Anthropic acts as a data processor on our behalf and processes your data only on our instructions. Your personal data is not used by Anthropic to train its AI models. Anthropic may process data in the United States and this transfer is protected by Standard Contractual Clauses recognised under UK data protection law.

See section 10 for further information about our use of automated processing.

(f) To provide AI-powered financial planning tools. We are introducing AI-powered financial planning features to the Platform. Initially these will provide informational guidance and planning insights based on your financial position and goals. We process your data for this purpose under the lawful basis of legitimate interests, as this forms a value-adding feature of our service that you would reasonably expect us to provide.

As this feature develops and its outputs become more significant in nature, we will update this Privacy Notice and our Terms and Conditions before those changes take effect and will notify you in advance.

(g) To process payments to and from your Sidekick account. We use TrueLayer to facilitate open banking payments. Further information on how TrueLayer processes your personal data is available at https://truelayer.com/legal/privacy/. We process your data under the lawful basis of contract performance.

(h) To send you service communications that are necessary for the operation of your account, such as changes to our terms or features. We do this under the lawful basis of contract performance.

(i) To send you marketing communications, where you have opted in. We process your data for this purpose under the lawful basis of consent. You can withdraw your consent and opt out of marketing at any time by using the unsubscribe link in any marketing email or by contacting us at compliance@sidekickmoney.com.

(j) To offer products and services that may be relevant to you based on your account history and preferences, where this goes beyond the AI-powered personalisation described in section 7(e). We do this under the lawful basis of legitimate interests.

(k) To improve and develop our services by analysing usage patterns and customer feedback. We do this under the lawful basis of legitimate interests.

(l) To monitor electronic communications for training and compliance purposes, to the extent permitted by law. We do this under the lawful bases of legitimate interests and legal obligation.

(m) To comply with our legal and regulatory obligations, including reporting to the FCA, HMRC and other authorities, and submitting Suspicious Activity Reports to the National Crime Agency. We do this under the lawful basis of legal obligation.

(n) In connection with the sale or restructuring of our business, where your personal data may be transferred as part of that transaction. We do this under the lawful basis of legitimate interests.

8. Disclosing your information

We do not sell your personal information to third parties.

We share your information with selected third party providers who assist us in delivering our services. All third parties are required to handle your data securely and in accordance with applicable data protection law. We do not permit third party providers to use your personal data for their own purposes.

The categories of third party with whom we share personal information include:

1. Cloud computing and data storage providers
2. Identity verification and fraud prevention services (including Entrust)
3. Credit reference agencies
4. Open banking and payment processors (including TrueLayer)
5. Customer communication providers
6. Analytics and performance monitoring tools
7. Application development and engineering tools
8. AI service providers
9. Custodians and account providers, including Interactive Brokers (U.K.) Limited and Griffin Bank. Interactive Brokers processes your personal data in accordance with its Privacy Policy available at ibkr.com. Griffin Bank processes your personal data in accordance with its Privacy Policy available on the Griffin Bank website.
10. Marketing and partnership administrators
11. Regulatory bodies and law enforcement agencies, where required by law

9. Storing your information

(a) Security

We have implemented appropriate technical and organisational security measures to protect your personal information from unauthorised access, loss, alteration or disclosure. Access to personal data is limited on a need-to-know basis, and all employees and contractors handling personal data are subject to confidentiality obligations.

No electronic transmission or storage system is entirely secure. While we take all reasonable precautions, we cannot guarantee absolute security. You should only access our services through a secure environment.

We have procedures in place to identify and respond to personal data breaches and will notify you and the ICO where we are legally required to do so.

(b) Outside the UK

Our preference is to process your personal information within the UK or European Economic Area (EEA). Some of our third party service providers process data outside the UK, including Anthropic who powers our AI features and Interactive Brokers who provides custody services. Where transfers outside the UK are necessary, we ensure that equivalent protections are in place by:

(i) only transferring to countries assessed by the ICO as providing adequate protection; or

(ii) putting in place Standard Contractual Clauses (SCCs) recognised under UK data protection law.

Some of our third party service providers process data outside the UK, including AI service providers and Interactive Brokers who provides custody services. Where transfers outside the UK are necessary, we ensure that equivalent protections are in place by:(i) only transferring to countries assessed by the ICO as providing adequate protection; or(ii) putting in place Standard Contractual Clauses (SCCs) recognised under UK data protection law.

(c) Data retention

We will only keep your personal data for as long as is necessary for the purposes for which it was collected. Our standard retention period is 7 years from the end of your relationship with us. This reflects our obligations under applicable financial services regulation, including record-keeping requirements under MiFID II and the Limitation Act 1980. Where a specific legal or regulatory requirement sets a different period, this is documented in our internal retention schedule.

When personal data is no longer required, we will delete or anonymise it securely.

10. Automated processing

We use automated tools to assist with certain parts of our service. Where our team is meaningfully involved in overseeing these processes and human intervention is available, Article 22 of the UK GDPR is not engaged. Where processing is carried out on a straight-through basis without human review of an individual outcome, Article 22 may apply. In those cases we rely on the processing being necessary for the performance of our contract with you, or being authorised by law.

In all cases, if you have concerns about any automated process that has affected you, or would like to request that a member of our team reviews an outcome, please contact us at compliance@sidekickmoney.com. We will respond within one month.

We complete a Data Protection Impact Assessment before deploying any automated process that is likely to result in a high risk to your rights and freedoms.

11. Your rights - overview

We will need to verify your identity before processing any request to exercise your rights. You will not have to pay a fee, although we may charge a reasonable fee or decline to act where requests are manifestly unfounded or excessive. We will respond within one month, with a possible extension of two months for complex requests.

12. Access to your personal data

You have the right to request a copy of the personal information we hold about you, commonly known as a Subject Access Request. To make a request, please contact our DPO at compliance@sidekickmoney.com.

13. Correction of your personal data

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. Please keep us informed if your personal details change so that our records remain accurate.

14. Erasure of your personal data

You have the right to request that we delete your personal data where there is no longer a legitimate reason for us to hold it. This right is not absolute and may be limited where we are required to retain data to comply with a legal obligation or to defend a legal claim.

15. Objection to processing

You have the right to object to the processing of your personal data where we rely on legitimate interests as our lawful basis. You also have an absolute right to object to your personal data being used for direct marketing purposes at any time.

16. Restriction of processing

You have the right to ask us to restrict the processing of your personal data in the following circumstances:

(a) you are contesting the accuracy of the data we hold;

(b) the processing is unlawful but you do not want us to erase the data;

(c) we no longer need the data but you need us to retain it to establish, exercise or defend a legal claim; or

(d) you have objected to our processing and we are considering whether our legitimate interests override your objection.

17. Transfer of your personal data

You have the right to request that we provide your personal data to you or to a third party in a structured, commonly used, machine-readable format. This right applies where we process your data by automated means on the basis of contract or consent.

18. Withdrawing consent

Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time by contacting us at compliance@sidekickmoney.com or by using the unsubscribe function in any marketing communication. Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal.

19. Cookies

We use cookies and similar tracking technologies on our website and application for essential operational purposes, security, analytics and, where you have given consent, marketing and personalisation.

You can manage your cookie preferences through our cookie banner or through your browser or device settings. Refusing non-essential cookies will not prevent you from accessing our core services.

For full details please see our Cookie Policy: https://app.termly.io/policy-viewer/policy.html?policyUUID=f1c935da-4c52-4682-b371-0b4f6210de61

20. Complaints

If you are unhappy with how we have handled your personal data, please contact our DPO in the first instance at compliance@sidekickmoney.com.

You also have the right to lodge a complaint with the ICO:

Information Commissioner's Office:
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
‍www.ico.org.uk
‍0303 123 1113

21. Changes to this notice

We may update this Privacy Notice from time to time. Where changes are material, we will notify you by email or through a prominent notice in our application. The date at the top of this notice reflects when it was last updated.