Privacy Policy

Version date: March 2026

1. Introduction

1.1 Viaduct Advisory (‘we’, ‘our’ or ‘us’) are committed to protecting your privacy where we collect and handle any personal information relating to you from which you can be identified (called ‘Personal Data’).

1.2 This Privacy Policy tells you about the Personal Data that we collect; how we process such Personal Data and who we may share it with. It also provides information below about certain legal rights you have in relation to the Personal Data that we hold about you. You should also read this Policy in conjunction with our Terms of Business.

1.3 When collecting and processing the Personal Data referred to in this Privacy Policy, we observe our obligations under the UK General Data Protection Regulation (called the ‘UK GDPR’), Data Protection Act 2018 (‘DPA’) and other applicable laws that regulate the collection and processing of Personal Data, as may be updated or replaced from time to time (together referred to as ‘Data Protection Law’)

2. Changes to this Privacy Policy

2.1 From time to time, we may amend this Privacy Policy, for example, if there is a change in the law or the way in which we process Personal Data. Please therefore check that you have seen the latest version. If changes to this Privacy Policy are particularly significant, we may notify you of these directly.

3. What Personal Data do we collect?

3.1 The Personal Data that we collect (in any form or medium) includes the following:

(a) your name, address, phone and other contact details;
(b) information regarding your personal or family circumstances;
(c) information about other living individuals (such as your family members or professional advisers);
(d) information we need to collect about you (or anyone else) in order to provide our services (as described in our Terms of Business). This may include information about your health or the health of family members or other insured individuals (which is one of the types of Personal Data known under the UK GDPR as ‘Special Category Personal Data’ – see paragraph 7.2 below);
(e) information to verify your identity so we can conduct client due diligence for anti-money laundering purposes or conduct checks to deal with other potential risks, such as fraud;
(f) information we may need to comply applicable legal or regulatory obligations (such as financial services regulation);
(g) data collected through use of ‘cookies’ when you visit our website. For more information about this and how to change your cookie preferences, please see our Cookie Policy.
as well as any other Personal Data that you choose to provide us with from time to time.

4. How your Personal Data is collected

4.1 We collect Personal Data in various ways. In particular:

(a) when you contact or communicate with us;
(b) when we receive information about you from your professional advisors;
(c) if we access information from third party sources such as online databases to conduct client due diligence or other verification checks as referred to above;
(d) when you use our website (for example, when you fill in an online form or when we use cookies);
(e) from other sources that we may tell you about from time to time.

5. Information about third parties

Please ensure that any Personal Data you supply to us which relates to third party individuals (such as family members) is provided to us with their knowledge including them knowing about us and our proposed use of their Personal Data as described in this Privacy Policy.

6. What we use your Personal Data for

As well as the purposes mentioned above, we may use Personal Data we receive for one or more of the following:

(a) to deal with enquiries about the types of services we can offer;
(b) to provide our services to you and others who you require us to provide services to (such as family members);
(c) to take the necessary steps to enter into, perform or enforce any contract we may have with you;
(d) to monitor the quality of our services and to conduct customer surveys;
(e) to deal with any queries, complaints or other communications we receive from you or your advisers.
(f) to provide you with direct marketing communications about what we are doing as well as products, services and/or campaigns which may be of interest to you by post or phone. If required under Data Protection Law, where we contact you by SMS, email, social media and/or any other electronic communication channels for direct marketing purposes, this will usually be subject to you providing your consent. You can object or withdraw your consent to receive direct marketing from us at any time, by contacting us using the email address below.
(g) to establish our legal rights or to enforce and/or defend any legal claims; and/or
(h) for any other purpose required by applicable law, regulation or the order of any court, regulatory authority or law enforcement body.

7. The lawful grounds on which we collect and process your Personal Data

7.1 We process your Personal Data relying on one or more of the following lawful grounds:

(a) where you have freely provided your specific, informed and unambiguous consent for particular purposes;
(b) where we agree to provide services to you, in order to take any pre-contract steps at your request and/or to perform our contractual obligations;
(c) where we need to use your Personal Data for the legitimate interests of us being able to operate, manage and administer our business. We will always seek to pursue these legitimate interests in a way that does not unduly infringe on your privacy and other legal rights;
(d) where we need to protect your vital interests or those of someone else (such as in a medical emergency); and/or
(e) if we need to collect, process or hold your Personal Data to comply with a legal or regulatory obligation.

7.2 Except for data relating to health as referred to above, we do not usually collect what is known under the UK GDPR as ‘Special Category Personal Data’. This covers data relating to a person’s ethnic origin, political, philosophical or religious beliefs, physical or mental health, sex life, or trade union membership. It also covers genetic or biometric data used for the purposes of identifying someone.

However, if we do collect or process such Special Category Personal Data (or any Personal Data relating to allegations of criminality, criminal convictions and offences) we will only do this where we have established an applicable lawful basis under Data Protection Law. Usually this means we have obtained your explicit consent or where we need to process such Personal Data in connection with a legal claim (including establishing or exercising legal rights in respect of a possible claim).

8. Disclosing your Personal Data to third parties

8.1 We may disclose your Personal Data to certain third-party organisations who are handling that data on our behalf under a written contract and our instructions (called ‘processors’ under Data Protection Law), such as:

(a) companies and/or organisations that provide us with IT services or data hosting; or
(b) companies and/or organisations that support our business operations and/or fulfil transactions (e.g. payment processors); and
(c) providers of databases that we may access to conduct client due diligence or other required checks.

8.2 We may also disclose your Personal Data to third parties who make their own determination as to how they process your Personal Data (called ‘controllers’ under Data Protection Law), such as a bank, law firm or other professional who you ask us to share your Personal Data with or our own legal advisers for the purposes for establishing, exercising or defending legal claims.

8.3 We may also transfer your Personal Data to another entity in the event that we reorganise our business or are subject to a merger, sale or acquisition although this should not affect the purposes for which Personal Data is held and processed as described in this Privacy Policy.

8.4 The third-party controllers external to us with whom we deal as described above will handle Personal Data in accordance with their own procedures and you should check the relevant privacy policies of these third-party organisations to understand how they may use your Personal Data.

8.5 Other than as described above, we will treat the Personal Data we received from you as private and will not disclose such Personal Data to third parties without you knowing about it. The exceptions are:

(a) in relation to criminal or regulatory investigations, legal proceedings or other situations where we cannot tell you for legal reasons;
(b) where we use third-party processors who are engaged under contract to handle data on our behalf (as described above).
However, all cases we take appropriate steps to ensure that such Personal Data is only used by third-parties for lawful purposes and in compliance applicable Data Protection Law.

9. International Transfers

We may transfer certain Personal Data to processors and vendors providing IT services or other business support who operate overseas outside the United Kingdom or European Economic Area (EEA). This may include countries such as India whose laws are not currently regarded under the UK GDPR as providing the same standard for protection of Personal Data as you enjoy in the UK or EEA. These overseas transfers are referred to ‘restricted transfers’.
Whenever we undertake such a restricted transfer of Personal Data, we will only do so in a manner that complies with Data Protection Law. This means for occasional restricted transfers, we may rely on an exemption under Data Protection Law that permits such a transfer to take place subject to certain conditions. This is usually based on having your explicit, informed consent to make the restricted transfer or the transfer being necessary for:

• the establishment, exercise or defence of legal claims;
• performance of a contract to which we are a party, entered into in your interests; or,
• performance of a contract between you and us, or us taking certain pre-contractual measures at your request.

Alternatively, where we are transferring Personal Data on a regular basis, we use specific standard contractual clauses (SCCs) and/or other legal measures approved for use by the EU Commission or UK Information Commissioner’s Office (ICO) which are considered to give the transferred Personal Data adequate legal protection in accordance with Data Protection Law.

If you require further information regarding these measures, you can contact us using details below in paragraph 13.

10. How long we retain your Personal Data for

10.1 We retain Personal Data identifying you for as long as you have a relationship with us and as necessary to perform our obligations to you. We also retain certain Personal Data as referred to above after our relationship with you has ended so we can review, enforce or defend contract claims and/or comply with legal or regulatory obligations.

10.2 We have a data retention policy that sets out the different periods we retain data for in respect of relevant purposes in accordance with our duties under Data Protection Law. The criteria we use for determining these retention periods are based on various legislative requirements as well as guidance issued by the ICO and other relevant regulatory authorities.

10.3 Personal Data we no longer need is securely disposed of and/or anonymised so that the relevant individual can no longer be identified from it.

11. Security that we use to protect Personal Data

11.1 We employ appropriate technical and organisational security measures to protect Personal Data from being accessed by unauthorised persons and against unlawful processing, accidental loss, destruction and damage.

11.2 We also take reasonable steps to protect Personal Data from external threats such as malicious software or hacking. However, please be aware that there are always inherent risks in sending information over public networks and we cannot 100% guarantee the security of all data sent to us (including Personal Data).

12. Your Personal Data rights

12.1 Under Data Protection Law you have various rights which are exercisable by making a request to us in writing. These are:

(a) the ‘subject access’ right under which can request a copy of the Personal Data that we hold about you;
(b) that we correct Personal Data that we hold about you which is inaccurate or incomplete;
(c) that we erase your Personal Data if we no longer need to process it;
(d) to object to any automated processing (if applicable) that we carry out in relation to your Personal Data;
(e) to object to our use of your Personal Data for direct marketing;
(f) to object and/or to restrict the use of your Personal Data in certain circumstances unless we have a legitimate reason for continuing to use it; or
(g) that we transfer Personal Data to another party where it has been collected with your consent or is being used to perform contract with you and is being processed by automated means.

12.2 If you would like to exercise any of the rights set out above, please contact us at the address below.

12.3 We may ask for further information to verify your identity or clarify the scope of your request before we can reply, and we may refuse to comply with (or charge for) any vexatious, manifestly unfounded or excessive requests. Usually, we will take one month to respond unless the request is complex in which case, this response date may be extended by a further two months.

12.4 If you make a request and are not satisfied with our response or still believe that we are illegally processing your Personal Data, you have the right to complain to the ICO – see https://ico.org.uk/.

13. Contact

If you have any queries regarding this Privacy Policy or wish to make a request relating to your Personal Data as described above, please contact our data protection manager (Kevin Andrews) as follows: kevin@viaductadvisory.com