1. Data controller
Sustainable Wealth Group, London (Mayfair). Data Protection Officer: dpo@sustainablewealthgroup.co.uk. ICO registration number: [PLACEHOLDER — to be inserted on first publication].
2. What we collect and why
The table below sets out each processing activity, the categories of personal data involved, the lawful basis we rely on and how long we retain the data.
| Activity | Lawful basis | Retention |
|---|---|---|
Self-certification capture (FPO 2005 status declaration) Data: first name, email, FPO route (Article 19 / 48 / 50 / 50A / international equivalent), jurisdiction, disclaimer version snapshots | art_6_1_c_legal_obligation Financial Promotion Order 2005 record-keeping — firm-side reasonable belief of investor status must be retained for the duration of the FCA/FSMA evidence window. | 6 years from last interaction. |
Audit & Architect tool operation (calculation, blueprint render) Data: wealth band, annual deployment band, position history (year, ticket, sector, stage, deal source), tax position inputs, blueprint output | art_6_1_f_legitimate_interest SWG's legitimate interest in operating the tool, and the investor's legitimate interest in receiving the blueprint they requested. Balancing test documented in /admin/dpia. | 6 years from last interaction. |
Direct marketing (quarterly Intelligence Briefing, Wealth Architects Programme updates) Data: first name, email, engagement events | art_6_1_a_consent pecr_reg_22_marketing Explicit opt-in tickbox on Step 3 of /architect/certify. Consent written to consent_history table with timestamp, IP hash and consent_basis. Withdrawal via one-click unsubscribe and /manage-preferences (also logged). | Retained while consent is active. Deleted within 30 days of withdrawal (except in compliance_logs, which remain immutable). |
Cookie tracking (analytics and marketing) Data: device identifiers, session activity, page paths | art_6_1_a_consent pecr_reg_6_cookies Granular opt-in via the cookie banner. Strictly necessary cookies (session, CSRF, language, banner state) are exempt under PECR Regulation 6(4). | Analytics: 14 months. Marketing: 12 months. Consent decision logged for 12 months then re-prompted. |
Immutable compliance audit trail Data: event type, lead identifier, payload (versions, disclaimer snapshots), IP address (hashed after 30 days), user agent | art_6_1_c_legal_obligation FCA/FSMA evidence retention. Also relied on as legitimate interest (Article 6(1)(f)) in maintaining a regulatory audit trail. | 6 years from event date. IP addresses pseudonymised (hashed) after 30 days per data minimisation principle. |
3. Special category data and automated decisions
We do not process special category data under Article 9 of the UK GDPR. The tool does not carry out solely-automated decision-making with legal or similarly significant effects under Article 22 — your blueprint is information only, never a recommendation or a binding decision.
4. Recipients and international transfers
Personal data is processed on our behalf by Lovable Cloud / Supabase (hosting, database), Resend (transactional email) and HubSpot (CRM). Where any processor operates outside the UK, the transfer is covered by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
5. Your rights
Under UK GDPR Articles 15–22 you may request access, rectification, erasure, restriction, portability, or object to processing. You can also withdraw any consent at any time. Submit a request via the Data Subject Access Request form. Marketing preferences can be managed at /manage-preferences.
You also have the right to complain to the Information Commissioner's Office at ico.org.uk.
6. Cookies
Our use of cookies is described separately at /cookies.
This notice is counsel-drafted as Schedule G of the SWG Compliance Review v6.1. The text above is a structural placeholder pending counsel sign-off — see /admin/disclaimers (key: privacy_notice_long).