Mercer Money

Privacy Policy

Who are we?

Mercer Limited ("we", “our” or “us”) take the security of your personal data very seriously and are committed to protecting and respecting the privacy of the users (“you” or your”), of our Mercer Money Platform (the “Platform”).

What is this privacy policy for?

We may handle your personal data in connection with your use of the Platform.  This privacy policy (together with our Terms of Use and any other documents referred to on it) set out, for the Platform, our collection and sharing practices, the uses to which personal data is put, the ways in which we protect it in accordance with the General Data Protection Regulation (EU 2016/679) and the Data Protection Act 2018 (“Data Protection Laws”) and your privacy rights.  Please read it carefully. 

Further notices highlighting certain uses we wish to make of your personal data together with the ability to opt in or out of selected uses may also be provided from time to time when we collect personal data from you.

This privacy policy covers our processing of your personal data.

1. WHAT DATA DO WE COLLECT?

We collect information directly from you (as set out in the paragraph below), and certain third parties that have roles in delivering services to you or your employer, such as pension providers or third parties that you instruct to provide us with information, such as your bank provider(s).

You might provide this information when you sign up to the Platform, edit your profile in the Platform (including when providing certain non-mandatory information), or communicate with us through email, by telephone or via a chat functionality within the Platform.

If you are a member of the Mercer Mastertrust, please note that your information is provided to us by Aviva or Scottish Widows on behalf of the Trustees of the Mastertrust, as necessary for us to be able to provide the Platform to you.  If you have any queries or if you would like more information about how the Trustees handle your information, you can contact Mercer on behalf of the Trustees by email at money@mercer.com or by calling 0330 808 9426.

 The types of personal data we will typically hold and use in connection with your use of the Platform include:

  • contact information such as your name, address, email address (work and personal) and phone number;
  • biographical information such as your date of birth, marital or relationship status and gender;
  • information about your family members and dependents such as their names, dates of birth, addresses, and contact details;
  • employment information such as your HR/employee IDs, current and previous employers, length of time that you have worked in your employer organisation, job title, work location, department, intended retirement age, employment start date, employment end date and next pay date;
  • information about any existing financial products that you have, for example your pension details including details of policy numbers, fund values and contribution amounts;
  • information about any anticipated pension transfers that you have requested, including scheme details, estimated transfer values and selected investment strategy;
  • financial information such as your National Insurance Number or your Personal Public Service Number, home ownership, financial account numbers, savings account balances, loan balances, credit/debit card numbers and balances and transactions, share holdings and associated values, benefits information, and salary and other compensation;
  • decisions you may make with respect to your pension contribution, savings and day-to-day finances;
  • details of your correspondence with us;
  • technical information, such as your Internet Protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, screen resolution, flash version, time zone setting, browser plug-in types and versions, operating system, platform and traffic data, cookies data, web logs and other communication data, and details of the resources that you access, which we collect from you when you access the Platform; and
  • any other information you provide to us.

If you supply us with personal data about other people, you represent that you have the authority to provide this information on their behalf and you should direct them to this privacy policy. In these instances, you further represent that the individuals to whom this information relates have been informed of and understand the reason(s) for obtaining the information and the manner in which this information will be used and disclosed, and have consented to such use and disclosure.

2. HOW DO WE USE THE DATA WE COLLECT?

The personal data we collect enables us to provide you with access to the Platform and its features and enable you to interact with the Platform. 

In particular, we use your personal data to:

  • set up your user account;
  • enable you to access and use the Platform, including to verify your identity when signing up to the Platform and verifying your account and to allow you to access information and functionality in respect of your spending habits and saving for retirement;
  • verify your identity when subsequently logging in and using the Platform;
  • contact you to provide personalised prompts and reminders to enable you to receive full functionality of the Platform;
  • initiate the process of transferring the value of your pension plan, when you choose to complete a pension transfer on the Platform;
  • contact you when necessary (including about changes to our service) and respond to your requests and enquiries;
  • provide technical assistance or allow any third party authorised by us to do so; 
  • manage troubleshooting problems, detect and protect against error;
  • market products and services to you, including ours, those of our affiliates, and those of other third parties, provided that, where required, we have obtained your consent to do so;
  • fulfil legal and regulatory requirements such as to enable us to comply with the rules, guidance or regulations issued by the Financial Conduct Authority or the Prudential Regulation Authority;
  • detect and prevent fraud, suspicious activities, and other illegal activities;
  • analyse and improve products and services, collect feedback, enhance the Platform, and evaluate the effectiveness of our marketing activities and overall services;
  • perform statistical analyses on users of the Platform and track your use of the Platform; and
  • on an aggregated and de-identified basis, share data and statistical analyses with your employer for our own business purposes;
  • provide you with access to third party platforms including Destination Retirement through Single-Sign-On where applicable.

Tracking users’ use of the Platform

We use various tools, and collect various information, to assess how you use and interact with the Platform, including information about your visit, such as the full Uniform Resource Locators (URLs) clickstream to, through and from the Platform (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information and methods used to browse away from the page and any phone number used to call us.

You can find more information about our use of this type of technology in our Cookie Notice.

3. DISCLOSURE OF YOUR INFORMATION

We may share your personal data to assist with managing and running the Platform and undertaking the activities set out in section 2 above, to help you understand and meet your retirement and financial goals, or to provide other products or services or support as requested by you, or your employer. In particular, we may share this information with:

  • your pension provider as instructed by you;
  • Aviva or Scottish Widows – to the extent that you are a member of the Mercer Master Trust who elects to initiate a pension transfer on the Platform;
  • our affiliates to enable them to provide services to you and, where we have the requisite consent, to contact you regarding additional products and services that may be of interest to you;
  • third parties who handle your personal data on our behalf in order to provide the Platform, including Moneyhub Financial Technology Ltd, who hosts and supports the Platform, and who may access your personal data on our behalf in order to make the Platform, and any other third-party platforms accessible through the Platform, available and in connection with providing enhanced functionality;
  • law enforcement agencies, regulatory authorities and other public bodies such as courts in order to comply with our legal or regulatory obligations; 
  • third party service providers that have been retained to perform services on behalf of your employer, or as authorised by your employer; and
  • your employer in an identifiable form where instructed to do so by you.

The third parties to whom we disclose information are required by law and/or contractual requirements to keep your personal data confidential and secure. These parties may not use or disclose it except as reasonably necessary to provide their services, or to comply with, or as permitted by, applicable law.

We may disclose your personal data without your prior permission, as permitted by law, including instances when we believe it is necessary to: (a) prevent physical or financial harm; (b) enforce the Terms of Use; (c) respond to claims of suspected or actual illegal activity or violation of third party rights; (d) respond to an audit or investigate a complaint or security threat; and/or (e) comply with law or legal process.

In the event we sell some or all of our assets, it is possible your personal data could be one of the assets transferred to the purchaser. We may disclose and/or transfer your personal data to a third party purchaser in these circumstances.

4. USING YOUR INFORMATION IN ACCORDANCE WITH DATA PROTECTION LAW

Data Protection Law requires that we meet certain conditions before we are allowed to use your personal data in the manner described in this privacy policy. To use your personal data, we will rely on one of the following conditions, depending on the activities we are carrying out: 

Consent 

We may provide you with marketing information about our services or products where you have indicated your consent for us to do so (to the extent that we are required to collect consent under Data Protection Laws).  We may contact you by email or phone (where you have agreed to those methods of communication) to provide you with the information on your requested service or product. We may also provide you with information, special offers, research, promotions, and similar products and services.  Where you have indicated your consent to us doing so, we may also pass your details to our group companies so that they can provide you with information on the products they provide. 

You may change your marketing preferences at any time by visiting our Marketing Preference page or by contacting us as set out in section 11 below. 

Legitimate interests

It is in our legitimate interests to collect your personal data as it provides us with information that we need to provide our services to you and to make our Platform available. 

This requires us to carry out a balancing test of our interests in using your personal data (for example, in order to provide you with access to the Platform and to satisfy the contractual obligations we owe to your employer), against the interests you have as a citizen and the rights you have under Data Protection Law (for example, to not have your personal data sold to third party marketing companies without your knowledge). 

The outcome of this balancing test will determine whether we may use your personal data in the ways described in this privacy policy. We will always act reasonably and give full and proper consideration to your interests in carrying out this balancing test.  

To provide you with the services that we have agreed to provide to you

We are permitted to hold and process some of your personal data because it is necessary to do so in order to provide you access to, and to enable you to make use of, the Platform. Without this personal data, we could not provide you with access to the Platform.

Compliance with a legal obligation

We are permitted to process your personal data where it is necessary for compliance with our legal obligations.

For legal claims

We are permitted to process your personal data where it is necessary to establish, pursue or defend a legal claim.

Substantial Public Interest

We are permitted to process your personal data where it is necessary for reasons of substantial public interest, on the basis of Data Protection Laws.

If we look to use your personal data for any other purpose not covered in this privacy policy, we will let you know about any proposed new purposes before using your personal data in this way. 

5. HOW LONG WE KEEP YOUR INFORMATION FOR

Our retention periods for personal data are based on business needs and legal requirements. We retain personal data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. 

We usually keep your information for as long as required to:

  • to respond to any questions or complaints;
  • to show that we treated you fairly;
  • to demonstrate compliance with our regulatory obligations; and/or
  • to maintain records according to rules that apply to us.

We will also keep your information for as long as it is needed for legal, regulatory or technical reasons (such as to enable your log in access). We may also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.

6. SENDING DATA OUTSIDE OF THE EEA

We may transfer or disclose personal data we collect to a destination outside the European Economic Area (“EEA”).  We will typically do this:

  • to comply with a legal duty;
  • where our staff are located outside of the EEA or in the unlikely event that we are required to share your personal data with our affiliates that are located outside of the EEA; or
  • where one of our suppliers provides elements of the services outside of the EEA. 

If we do transfer personal data outside of the EEA we will make sure that it is protected in the same way as if it was being used in the EEA and may be required to take specific additional measures to safeguard the relevant personal data.  Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to the Data Protection Laws (see the full list here) and therefore no additional safeguards are required to export personal data to these jurisdictions. In countries which have not had these approvals, we will establish legal grounds justifying such transfer, such as European Commission-approved model contractual clauses, or other legal grounds permitted by applicable legal requirements.

You can contact us as set out in section 12 below to find out more about safeguards we have in place for any transfers of your personal data outside of the EEA or if you would like to see a copy of the specific safeguards applied to the export of your personal data.

7. WHAT STEPS DO WE TAKE TO PROTECT YOUR INFORMATION?

All information you provide to us is stored on our or our subcontractors’ secure servers and accessed and used subject to our security policies and standards.  Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Platform, you are responsible for keeping this password confidential. We ask you not to share a password with anyone and may suspend or terminate your access to the Platform if you do so.

We restrict access to your personal data to those employees of ours, our affiliates, and third party service providers who reasonably need it to provide products or services. We have implemented commercially reasonable physical, electronic, procedural, administrative, and technical safeguards in a way that complies with the security requirements of the Data Protection Laws to protect your personal data, located in the countries where we are based (which may be outside the EEA), from unauthorised access. However, as effective as our security measures are, no security system is impenetrable. We cannot guarantee the security of these systems, nor can we guarantee that information supplied by you or on your behalf cannot be intercepted while being transmitted over the Internet.

8. WHAT RIGHTS AND OBLIGATIONS DO YOU HAVE WITH RESPECT TO YOUR DATA?

You have a number of rights under Data Protection Laws in relation to the way we process your personal data. These are set out below. You may contact us using the details in section 12 below to exercise any of these rights. We will respond to any request received from you within one month from the date of the request.

Description of Rights:

  • Right 1 - A right to access personal data held by us about you.
  • Right 2 - A right to require us to rectify any inaccurate personal data held by us about you.
  • Right 3 - A right to require us to erase personal data held by us about you.  This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent (if we are using your personal data based on your consent); or where you object to the way we process your personal data (in line with Right 6 below).
  • Right 4 - A right to restrict our processing of personal data held by us about you.  This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you require the data for the purposes of dealing with legal claims.  
  • Right 5 - A right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format.  You also have the right to require us to transfer this personal data to another organisation, at your request.
  • Right 6 - A right to object to our processing of your personal data (including for the purposes of sending marketing materials to you).
  • Right 7 - A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with marketing information about our services or products). If you withdraw your consent, we may not be able to provide certain products or services to you.

These rights are subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege), and may not all be available in the country in which you are based. 

Updating information

Keeping your information accurate and up-to-date is very important. Inaccurate or incomplete information could impair our ability to deliver relevant services to you. We will use reasonable endeavours to ensure that your personal data is accurate.  In order to assist us with this, you should notify us of any changes to your personal data by updating your profile on the Platform or by contacting us as set out in section 11 below.

Intentionally providing false or misleading information or using another person’s email address or personal data for the purposes of falsely obtaining any products or services through the Platform, may lead to termination or forfeiture of the product or services and/or of access to the Platform and may result in legal action. 

9. THIRD PARTY WEBSITES

The Platform contains links to other third party websites.  If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data.  Please check these policies before you submit any personal data to such third party websites.

10. CHANGES TO THIS PRIVACY POLICY

We may change the content of the Platform and how we use cookies and consequently this privacy policy and our cookies notice and any other document to which they refer are subject to change at any time. If we make material updates to this privacy policy, we will update the date it was last changed and will clearly indicate this via a notification on the Platform and via email. Any changes we make to this privacy policy become effective immediately when we post the revised privacy policy on the Platform. We recommend that you review this privacy policy regularly for changes.

This privacy policy was last updated on 04 April 2023.

11. HOW TO CONTACT US

You can contact us at any time at money@mercer.com or on 0330 808 9426 if you have any questions about this privacy policy, or our privacy practices in general. You can also contact Mercer’s data protection officer at: 

Data Protection Officer

Marsh & McLennan Companies, Inc.

Tower Place West

London

EC3R 5BU

How to complain

Please let us know if you are unhappy with how we have used your personal data or are not satisfied with our handling of any request by you in relation to your rights. You can contact us using the contact details above.  You also have the right to complain to the Information Commissioner’s Office. Their address is: 

For the UK:

First Contact Team

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

United Kingdom

SK9 5AF

Find out more information on their website on how to report a concern.