This is the Privacy Policy of Cantab Asset Management Limited (‘Cantab’).

For institutions, the equivalent information applies to inter alia your legal structure, governing deeds, legal entity indentifiers.

In order to provide our services, we obtain information about your personal and financial situation and may collect the following information:

  • Identity details: Such as your name, age, date of birth, gender and national insurance number.
  • Personal and Professional Contact details: This includes your email, phone number, mobile number and address.
  • When you apply for a client account with us:
    – Employment details.
    – Family details.
    – Information regarding your current health condition.
    – Associated third party information, this includes your spouse, children or beneficiaries of trusts.
    – Financial details, this includes source of wealth, existing investments, tax returns, and bank details.
  • Details concerning your attitude to investment risk. This is collected via the completion of a questionnaire with guidance from our Advisors.
  • Lifestyle information (such as hobbies and interests). We collect this information so that we can better tailor any material we may send to you.
  • Account activity. This information is generated and collected through the provision of our services to you.
  • Information on your children and dependants: Where a child is named as a beneficiary on the policy taken out by a parent or guardian on their behalf. In these cases, we will collect and use only the information required to identify the child (such as their name, age, gender).
  • Internal Protocol (IP) address: This information is collected passively when you use our website or client portal.
  • Use of our website: This information is collected through cookies as further explained in our Cookies Policy.

We may be provided with the information listed above by:

  • Your relatives and other mutual contacts
  • Your parent(s) or legal guardian in relation to minors
  • Trustees of a trust you are connected with, and
  • Trust beneficiaries
  • Your registered agent or introducer

We have published this policy so that you understand what we do and why, and in order that, if you wish to challenge us, you have information about your rights.  This policy is not detailed with respect to all aspects of our processing of personal data because so much depends on your needs and individual circumstances.  We have given as much information as we can by way of default, and we supplement this where appropriate in other documentation.

The purposes are as follows:

  1. Marketing to you as a prospective client
  2. Accepting you as a client
  3. Dealing with you as a client
  4. Performing our services to clients which involve processing personal data about others associated with them, such as a spouse, parent, guardian, child, other family member, a representative of our client, or a trustee, settlor or beneficiary
  5. Operating our business

We have included sections dedicated to describing your rights, our contact information generally and how you can make a complaint.


1. Marketing to you as a prospective client

The market in which we operate is competitive and we must continue to attract new clients.  To that end we have a legitimate interest in marketing our services to existing and potential clients.  We believe our services are of interest to a range of private clients, family offices and institutions.

Our efforts to attract potential clients bring us directly and indirectly into contact with them to communicate information about our services.  We are not intrusive and always respect the wishes of individuals once we are aware of them.

We use information you have provided us to:

  • Communicate directly with you via telephone, e-mail, and other forms of electronic communication.
  • Send you materials about our business, events and information relating to investments.

In addition to any information you have provided us, we may also obtain personal data for marketing purposes from reputable sources, including:

  • Social Media such as LinkedIn
  • Relevant data in the public domain (Corporate websites)
  • Referrals from existing clients
  • Information from external data providers in relation to potential target clients only


2. Accepting you as a client

Where you ask us to act for you there are preliminary steps we need to take before we enter into a contract with you.  The process of accepting you as a client has two main parts:

  • Compliance by us with legal obligations to know our clients and to prevent money laundering and terrorism financing; and
  • Obtaining the information we need from you to open your account and provide our services.

Verification documentation: This is collected from you to assist us with verifying your identity and contact details. We need to verify the information you provide to us in order to fulfil our legal obligations, and for this purpose we commonly use public and privately available electronic information sources (we may use third party credit and identity check agencies for this purpose).


3. Our dealings with you as a client

Once you have entered into a contract with us, we are able to act for you and carry out your instructions. However, we are also under legal obligations to:

  • Know our clients and to prevent money laundering and terrorism financing
  • To monitor changes in our relationship with you and your affairs.

Thus, from time to time we must repeat the steps we take when accepting you as a client, and the same considerations apply in relation to the processing of personal data relating to you.

The nature of the information we need to provide our services depends on your instructions.  Our requirements are reflected in the forms we ask you or others to fill in, and in questions we ask in correspondence and e-mail, or when meeting you or others in person or speaking on the telephone.  However, we won’t collect information for which we don’t have a reasonable need in order to carry out your instructions.

Personal data relating to your health is only collected where it is necessary to fulfil your instructions.  We will ask you to consent to our obtaining of such information and to its processing for that purpose.

Unfortunately, if you don’t consent or we’re not provided with the information we need in full, we won’t be able to fulfil your instructions adequately or at all.


4. Performing our services and processing information about others

It is in the legitimate interests of our business to process personal data relating to people other than our clients where necessary in order to provide services to our clients.  In some cases, the processing is also in the interests of the third party.

The nature of the information we need to provide our services depends on your instructions.  Our requirements are reflected in the forms we ask you or others to fill in, and in questions we ask in correspondence and e-mail, or when meeting you or others in person or speaking on the telephone.  However, we won’t collect information for which we don’t have a reasonable need in order to carry out your instructions.

As above, Personal data relating to health is only processed where it is necessary to fulfil our client’s instructions.  We will ask you to consent to our obtaining of such information and to processing it for that purpose.


5. Operating our business

This section is concerned with the systems we use to process personal data and our processing of personal data for internal purposes.  It is not concerned with the nature of the data, the classes of individuals on whom we process data, the classes of the data, the sources and disclosures of the data, nor the period of time which we hold data.

We process personal data using the following principal systems and networks:

  • A client relationship management system which is the repository of all information we hold on current, past and target clients.  This system is operated and maintained by Cantab staff.
  • Cantab Online, which is a web-based portal through which our clients are able to access and manage information relating to them and their investments and products.  Cantab Online is operated by Cantab staff and is hosted on our behalf by a third party.
  • Local and wide area networks for the transmission of data within and between our site locations.  The communications services which form part of these networks are procured from a third party, and all data transmitted across the networks are transmitted by Cantab staff or representatives or third-parties with whom we are dealing in the course of business.
  • Corporate systems for the processing of all other data.

Cantab staff and representatives use computer and communications equipment to access these systems, to perform their duties, and in particular work stations, laptop computers, other mobile computing devices and mobile phones.

Personal data is stored on these devices appropriate to the use for the time being.
Additionally we may use Personal data for internal Training purposes, Corporate governance, management and reporting on a company and group-wide basis.

The legal basis on which we deal with people who are not clients or associated with a client depends on the circumstances. In all cases we make sure that we have a legitimate reason to do so in connection with our business.

We communicate and deal with all manner of people in the ordinary course of our business, whether suppliers, regulators, other competent authorities, and others incidentally in connection with our business from time to time. In the course of doing so, having regard to the nature and purpose of those dealings, we will obtain and process personal data. We do not use the data for any purpose other than for which it was given to us.

The reasons why we disclose personal information and to whom depends on the services you’ve instructed us to provide and our legal obligations as a provider of financial advisory and investment services. Where we are unsure whether or not you are aware of the disclosure to be made, we will inform you beforehand wherever possible.  However, on occasion we disclose information to:

  • HM Revenue & Customs
  • Custodians of your assets
  • Members of your family, including your spouse, partner or other adult members of your family or dependants if you are one of our private clients, where it has been agreed that our services will include these third parties.
  • Representatives, trustees, settlors or beneficiaries if you are one of our charity or trust clients, and in each case, where it has been agreed that our services will include these third parties
  • Very infrequently, we are required by law to report matters to law enforcement agencies for the prevention and detection of crime, including the police and the National Crime Agency. In certain circumstances we are not permitted to inform you that we’ve done so or intend to do so.
  • The Financial Conduct Authority, The Financial Ombudsman, and the Information Commissioner’s Office

To fulfil our commitments to you, we share your information with several third party organisations who perform certain tasks on our behalf. Information is only shared with these third parties to the extent necessary in order to enable them to provide the services required on our behalf. These third parties act on our instructions and are processors of your information. These organisations:

  • provide financial crime prevention or credit reference services
  • are firms such as registrars and custodians that hold your assets;
  • are approved providers and administrators of financial products (including Pension administration services (e.g. SIPPs), and Insurance administration services)
  • Provide us with professional advice (such as our accountants, lawyers and compliance consultancies).
  • We also may share your information with third parties you have a direct contractual relationship with (such as your appointed agent) or to assist in facilitating your acquisition of a third party’s products and services. In these instances the third party is likely to also be a controller of your information for their own purposes. We ensure that we have in place strong data sharing protocols with these third parties to govern and guide the sharing of your information in these circumstances.

The security and confidentiality of your information is extremely important to us.

All personal data which is collected and recorded, whether on paper or electronically, has appropriate safeguards applied in line with our legal obligations.

Data is protected by our internal policies and procedures designed to minimise loss or damage through accident, negligence or deliberate actions. Our employees undertake regular training in relation to data protection and are subject to duties of confidentiality which apply to the personal data we obtain and process.

Our Information security controls are aligned to industry standards and good practice. This provides a secure control environment that effectively manages risks to the confidentiality, integrity and availability of information. Additionally our controls ensure we can restore your data in situations where the data is corrupted or lost in a disaster recovery situation.

Where appropriate, we use encryption or other security measures which we deem appropriate to protect your information. We also review our security procedures periodically to consider appropriate new technology and updated methods. But, despite our reasonable efforts, no security measure can ever be perfect or impenetrable.

If you would like more details or are concerned about any particular issue, please contact our Data Protection Officer at the details below.

Your information is processed in the UK and European Economic Area (EEA).

Where your information is being processed outside of the EEA, we take additional steps to ensure that your information is protected to at least an equivalent level as required by applicable data protection laws.

We have a legitimate interest to keep all records relating to our business for our internal purposes and to deal with queries or complaints which may arise.

As a regulated business we also need to keep records for 5 years or longer if required.

We keep personal data of clients only where and for so long as it is necessary to provide you with our products and services while you are a client and afterwards for so long as necessary to meet our legal or regulatory obligations or, if longer, for in relation to claims which could be made against us. Our normal practice is to keep Client information for at least 5 years after you cease to be a client.

We may record telephone calls and other electronic communications to monitor our communications, provision of our services and for audit and training purposes. We store call and other communication recordings securely in accordance with our retention policies and applicable laws. Access to those recordings is restricted to those individuals who have a need to access them for the purposes set out in this Privacy Policy.

A cookie is a small file that is saved onto your computer or other device when you visit our website. They store small pieces of information, for example, to record you’ve visited our website or performed a certain action, and to improve your experience when you visit our website. Our website may contain links to other websites of interest. However, once you have used these links to leave our website, please be aware that we do not have any control over that website. This means that we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such websites, or which cookies are used. Such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

You have several rights under data protection law in relation to how Cantab processes your information. These are identified below. More information can be obtained from the Information Commissioner’s website at


Right to be informed

You have a right to receive clear and easy to understand information on what personal information we have, why and who we share it with. We do so by means of this Privacy Policy.


Right of access

You have the right to know what personal data we process and to be provided with access to the information. If you wish to receive a copy of the personal information we hold on you, you may make a subject access request.


Right to request that your personal information be rectified

If your personal data are inaccurate or incomplete, you can request that they are corrected.


Right to request erasure

You can ask for your information to be deleted or removed if there is not a compelling reason for Cantab to retain it.


Right to restrict processing

You can ask to block or suppress the processing of your personal data for certain reasons. This means that we are still permitted to keep your information but only to ensure we don’t use it in the future for those reasons you have restricted.


Right to data portability

You can ask for a copy of your personal data for your own purposes to use across different services. In certain circumstances, you may move, copy or transfer the personal information we hold to another company in a safe and secure way; for example, if we’re moving your pension to another pension provider.


Right to object or withdraw consent

You can object to Cantab processing your personal data where it is based on our legitimate interests, in which case we can no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can object at any time to our use of personal data relating to you in connection with our direct marketing with a view attracting you as a client. Where you do so, the personal data shall not afterwards be processed for such purposes.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where we are processing personal data about you with your consent you can withdraw it at any time. However, where you do, it may not be possible for us to continue to fulfil your instructions adequately or at all.

Contact Information and Complaints

How to contact us

If you have any questions about this Privacy Policy or the personal data we will obtain and process about you, please contact: Cantab Asset Management Ltd, 50 Station Road, Cambridge CB1 2JH. FAO: Data Protection Officer


How to make a complaint

If you do not believe we have handled your information as set out in our Privacy Policy, or you otherwise wish to complain about our handling of personal data relating to you, please contact our Data Protection Officer at the above address.

If you are not satisfied with our response to your complaint or believe our processing of your information does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office (ICO) at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; Tel 0303 123 1113


Policy changes

If we decide to change this Privacy Policy, we’ll post the updated Privacy Policy on our website so that you’re always aware of what personal information we collect, how we use it and under what circumstances we disclose it. This Privacy Policy was last updated on 15 January 2023.