Our privacy policy (including use of cookies)
This privacy notice was last revised on 15 October 2025.
This notice ("the Privacy Notice") applies to all information we collect, use and process about you as a customer in relation to the products/services you receive from us.
"Cushon", is a trading name of the group of companies owned by Cushon Holdings Limited ("the Cushon Group"). Cushon Holdings Limited is a company registered in England and Wales with company number 14213564.
More information about the Cushon Group can be found on our website at www.cushon.co.uk.
In this notice, references to "we", "us" or "our" are references to one or more companies in the Cushon Group. Our address is 250 Bishopsgate, London, England, EC2M 4AA and our Data Protection Officer can be contacted at dpo@cushon.co.uk.
For the purposes of this notice, references to “you” or “your” should be understood to include, where appropriate and contextually relevant (such as in the case of intermediaries) your principals, directors, shareholders, employees, contractors and workers – collectively referred to as your “Key Persons.”
Depending on the products or services you receive from us, one or more of the below Cushon Group companies will be the relevant data controller in respect of personal information that we process about you in connection with our business (including the products and services that we provide):
Cushon Group Limited - a company registered in England and Wales with company number 10967805
Cushon Money Limited - a company registered in England and Wales with company number 11112120
Cushon MT Limited’s data controller regarding processing personal data when initially collected from the introducer
Please check the terms and conditions of your product or service to confirm who the relevant data controller will be.
In some situations, Cushon MT Limited (a company registered in England and Wales with company number 12366412) and Cushon MT NI Limited (a company registered in Northern Ireland with company number NI040179) act as data processors on behalf of the Trustees of the Master Trusts. The privacy notice of the Trustees of the Cushon Master Trust, in their capacity as data controller, can be found here.
In the course of delivering Auto-Enrolment compliance services, Cushon MT Limited acts as a Service Provider (also known as a “Data Processor”) on behalf of our clients. Our clients use our services to help securely process data related to their employees.
Therefore, if you are using Cushon MT Limited services as an employee of a Cushon MT Limited client, any personal information collected through such use will be processed and shared in accordance with that client’s privacy policies and practices. For any questions regarding our clients, please contact your employer directly.
We are committed to protecting your privacy. We have produced this notice to explain to you what personal information we have, how we get it and how and why we use that information. respect individuals' rights to privacy and to the protection of personal information.
As a provider of financial and compliance services, we hold certain information about you and this is your personal data. Personal data means information about a living individual who can be identified by that information (either by itself or when it is combined with other information).
By law, we are a controller of personal information that we collect and hold about you. This is because we decide how and why your personal information is used.
If you’ve submitted an application on behalf of someone else, whether an individual or business, and have shared information about directors, shareholders, owners, trustees or beneficiaries (as relevant), this privacy notice also applies to them. It is important that they read this notice and we will assume you’ve informed them that their details have been provided to us and that you’ve shared this notice with them.
We currently collect and process various categories of personal data and confidential information at and for the duration of, your relationship with us and beyond (subject to appropriate retention periods set out at section 5 below). We will limit the collection and processing to information necessary to achieve one or more legitimate purposes as identified in this Privacy Notice.
Personal data processed by us may include:
Basic customer information including name and address, date of birth, contact details, nationality, the fact that you are our customer;
Financial information, including account, transactional information and history, and benefits information;
Employment and business information;
Information about your financial circumstances;
Information about your use of our app or website;
Visual images and personal appearance (such as photos or copies of passports), and voice recordings
Background checks; and information about your communications with us.
We may also process certain special categories of personal data where strictly necessary for completing specific activities related to our services, such as to make our services accessible to customers or for reporting of complaints for regulatory purposes, or where it is in the wider public interest (for example, to protect customers’ economic wellbeing or to prevent and detect unlawful acts, fraud and financial crime). We will only process special categories of personal data where we've obtained your explicit consent or are otherwise lawfully permitted to do so (and then only for the particular purposes and activities for which the information is provided).
This may include information revealing:
Racial or ethnic origin
Biometric data
Information concerning health
Where we rely on your consent to process your special category data, you can withdraw your consent at any time by contacting us. Please note that in some cases we do not rely on consent to process special category data.
Where permitted by law we may process information about criminal convictions, criminal offences, related security details, alleged offences including unproven allegations, spent or previous convictions, or other details provided in relation to a criminal reference check or similar. We process this information for specific purposes, such as detecting and preventing fraud and financial crime, where it is in the wider public interest (for example, to protect customers' economic wellbeing), or to make our services accessible to customers or for reporting of complaints for regulatory purposes.
We may use artificial intelligence models in the course of providing products and services, and this may include use of generative artificial intelligence models. We process this information for the purpose of locating your existing pensions from previous employers and other providers and bringing them all into one place on our platform for easier management.
Most of the personal information we process is provided to us directly by you.
We also receive personal information about you indirectly, from the following sources in the following scenarios:
Your employer, when enrolling you for employment-related benefits; and
Identity and background checks providers;
Data and sales intelligence platforms and parent company - to identify new business opportunities and to develop enquiries and leads into applications or proposals for new business;
Third parties, such as an accountancy firm, law firm or management consultancy.
Fraud prevention, law enforcement or government agencies;
Information that we gather, where we have your consent, through cookies or similar tracking tools when you use our websites, mobile savings app, email or web chat services. Advertising or targeting cookies or similar technologies may also be used, with your consent, to track your responses to particular adverts, messages or forms, which helps us to ensure we present you with the most relevant content in the future;
Cookies may also be set if you click on a link within the email.
We track delivery and analyse the click rates of bulk emails in order to:
Identify delivery problems with Internet Service Providers.
Provide evidence that regulatory messages are being opened.
Ensure subject lines and email content are clear and helpful.
Measure the overall performance of communication campaigns.
Make our communications more relevant.
By default, tracking logs are deleted after 6 months; and information that we gather from publicly available sources, such as the press, the electoral register, company registers and online search engines. Information that you make public on social media (for example, Facebook, Twitter).
Why we have your personal information
We will only use and share your information where it is necessary for us to carry out our lawful business activities. Under UK General Data Protection Regulation (UK GDPR) , the lawful basis we rely on for processing this information is:
(a) Your consent. You are able to remove your consent at any time. You can do this by contacting the Data Protection Officer at dpo@cushon.co.uk.
(b) We have a contractual obligation.
(c) We have a legal obligation.
(d) We have a legitimate interest.
We have your permission - Our activities where we may rely on your consent include where we process certain special categories of data; where we use cookies or similar technologies; or where we collect your permission for sending marketing or any other processing where we request your consent.
Contractual Necessity - Where required, whether directly or indirectly, for your product or service, which could include in relation to your welfare or accessibility requirements;
Providing and managing accounts
Providing and managing the user's access to the app & website
Supplying products and services
Calculating, securing and paying benefits
Assess and process applications for products or services, including applications where you are acting on behalf of one of our customers, such as Power of Attorney;
Administering the contract we have entered into with customers
Sending in-app notifications via CushonME
Providing customer service support and tracking customer requests
Ensuring the accuracy of client's primary contact information
Communicate with you about your account(s) or the products and services you receive from us.
Legal Obligation - When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and process certain personal information about you. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you. This may include processing to
Confirm your identity, (including using biometric information and voice-recognition technology and other identification procedures, for example fingerprint verification where we have a valid legal basis e.g., consent);
Accessibility and providing reasonable adjustments
Prevention and detection of fraud or other criminal activities
Perform anti-money laundering, KYC and background checks on you, reporting to internal and external stakeholders
Coordinate responses to business-disrupting incidents and to ensure facilities, systems and people are available to continue providing services;
Provide assurance that Cushon has effective processes to identify, manage, monitor and report the risks it is or might be exposed to;
Conduct investigations into breaches of conduct and corporate policies by our employees;
Manage contentious regulatory matters, investigations and litigation
Share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
Deliver mandatory communications to you or communicating updates to product and service terms and conditions;
Investigate and resolve complaints, and remediate errors occurring on your account or service;
Conduct investigations into breaches of conduct and corporate policies by our employees;
Manage contentious regulatory matters, investigations and litigation;
Perform assessments and analyse your data for the purposes of managing, improving and fixing data quality;
Legitimate Interests of Cushon - We may process your information where it is in our legitimate interests do so as an organisation or where it is in the legitimate interest of a third party
Responding to enquiries and keeping a record of communications with enquirers
Market research
Send you relevant marketing information where you have not opted out (or where you have provided your permission).
Analysing use of the site and gather feedback to improve the site and your experience
Sale, merger, acquisition, disposal, reorganisation or similar change
To make decisions about you and the continued operation of your accounts
Compensate you for loss, inconvenience or distress as a result of services, process or regulatory failures
Responding and participating in industry improvements, consultations and initiatives
To monitor, maintain and improve internal business processes, information and data, technology and communications solutions and services (for example confirmation of payee)
Managing relationship with introducers
Provide assurance on Cushon’s material risks and reporting to internal management and supervisory authorities on whether Cushon is managing them effectively
Assess the quality of customer services and to provide staff training. Calls to our service centres, video calls and communications to our mobile and online helplines may be recorded and monitored for these purpose
Perform analysis on customer complaints for the purposes of preventing errors and process failures and rectifying negative impacts on customers;
Risk reporting and risk management
Research your experiences with us and to monitor the performance and effectiveness of products and services;
Identify new business opportunities and to develop enquiries and leads into applications or proposals for new business
Perform general, financial and regulatory accounting and reporting;
Further our purpose to improve our and our customers’ environmental impact, including the aim of working towards a carbon neutral position.
Ensure business continuity and disaster recovery and respond to information technology and business incidents and emergencies;
Ensure network and information security, including monitoring authorised users’ access to our information technology for the purpose of preventing cyber-attacks, unauthorised use of our telecommunications systems and websites, prevention or detection of crime
Changes to the way we use your data
From time to time we may change the way we use your information. When we do, we will communicate any changes to you and publish the updated Privacy Notice on our website. We would encourage you to visit our website regularly to stay informed of the purposes for which we process your information and your rights to control how we process it. Where we believe you may not reasonably expect such a change we will notify you and will allow a period of at least 30 days for you to raise any objections before the change is made. However, please note that in some cases, if you do not agree to such changes it may not be possible for us to continue to operate your account and/or provide certain products and services to you. Where relevant, we may also include further details or information in relation to a particular service or activity at the point information is collected or the product or service is considered. or the product or service is considered.
Who your personal information may be shared with
So that we can provide you with products and services, meet our legal obligations and manage our business, it may be necessary to share your personal information with other third parties including:
Your employer;
NatWest Cushon parent entities for the purposes of enabling our parent entities to exercise oversight of our business.
Anyone acting on your behalf with authority to do so, such as a power of attorney or your professional advisors.
Third-party suppliers (or potential suppliers), who provide services on our behalf;
Purchasers and potential purchasers of our businesses, including joint venture partners;
Third parties who have introduced you to us or are involved in the introduction process (e.g. an intermediary)
Fraud prevention agencies, Law enforcement and investigative authorities;
Courts, regulators, government bodies and similar organisations as required by law (such as the Financial Conduct Authority (FCA), Prudential Regulatory Authority (PRA), HMRC, the Information Commissioner’s Office, the UK Financial Services Compensation Scheme (FSCS), the Financial Ombudsman Service (FOS), our professional advisors and/or the courts.);
Corporate auditors and legal or other advisors;
Our professional advisors such as law firms, accountants, insurers or other professional advisor as required; and
Our PR and Communications partners when you enter our prize draws.
We will not share your information with other third parties unless:We have your permission;
Where required, whether directly or indirectly, for your product or service, which could include in relation to your welfare or accessibility requirements;
With law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory or trade bodies;
Where required for a proposed or actual sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business where such data is shared with a third party it is done under strict duties of confidentiality; and
Where permitted by law, it is necessary for our legitimate interests or those of a third party, and it is not inconsistent with the purposes listed in this Privacy Notice.
Communications about your account
If at any point in the future you change your contact details you should tell us promptly about those changes.
Automated processing
We do not generally make decisions based solely on automated decision-making within the meaning of UK GDPR. In the event that we rely solely on automated decision-making that could have a significant impact on you, we will provide you an opportunity to express your views and will provide any other safeguards required by law.
Your information is securely stored and encrypted both in transit and at rest. It may only be accessed on a need-to-know basis for the purposes set out in this Privacy Notice.
We manage our records to help us to serve our customers well (for example for operational reasons, such as dealing with any queries relating to your account) and to comply with legal and regulatory requirements. Records help us demonstrate that we are meeting our responsibilities and to keep as evidence of our business activities.
Retention periods for records are determined based on the type of record, the nature of the activity, product or service, and the applicable legal or regulatory requirements. We normally keep customer account records for up to ten years after your relationship with Cushon ends, whilst other records are retained for shorter periods. Retention periods may be changed from time to time based on business or legal and regulatory requirements.
We may on exception retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators. This is intended to make sure that we will be able to produce the records as evidence, if they are needed.
We will store your personal data mainly in the UK or European Economic Area (EEA). In extremely limited circumstances we transfer personal data to third countries (e.g. USA).
When we do send personal data abroad, we do so using appropriate safeguards. This includes standard contractual clauses approved for use by the UK Information Commissioner's Office ("ICO"), eventually supplemented with additional measures. We can also use other suitable safeguards, such as adequacy decisions or approved Binding Corporate Rules from our vendors, to permit personal data transfers from the United Kingdom or the European Economic Area ("EEA") to other countries, in accordance with the applicable laws.
You can request further information regarding international data transfers of your personal data by contacting us using the contact details included below in this Privacy Notice.
Under data protection law, you have rights including:
You right of access - You have the right to ask us for copies of your personal information. This is commonly known as submitting a 'data subject access request'.
Your right to rectification - If you discover that the information we hold about you is inaccurate or incomplete, you have the right to request that this information is corrected. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You may ask us to delete information we hold about you in certain circumstances, this is often referred to as the 'right to be forgotten'. This right is not absolute and only applies in particular circumstances. It may not always be possible for us to delete the information we hold about you, for example, if we have an ongoing relationship with you or we are required to retain information to comply with our legal obligations or to exercise or defend legal claims.
Your right to restriction of processing - In some cases, you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, it may be restricted until the accuracy is verified, or where the processing is unlawful but you object to it being deleted and request that it is restricted instead.
Your right to object to processing - You may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests or for the purposes of statistical analysis.
Your right to data portability - You have the right to receive, move, copy or transfer your personal information to a controller which is also known as 'data portability'. This only applies to information you have given us and if we are processing your personal information based on consent or contract and the processing is automated.
Your right to withdraw consent - Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.
Your right to object to direct marketing - You may also object to the processing of your personal information for the purposes of direct marketing.
Your right to lodge complaints - If you wish to raise a complaint on how we have handled your personal information please contact us using the contact details included below in this Privacy Notice.
If you’d like to exercise your rights or if you have any queries about how we use your personal information that are not answered here, please contact us using the contact details included below in this Privacy Notice.
We hope that we can address any concerns you may have, but you can always contact the Information Commissioner’s Office (ICO). For more information, visit ico.org.uk
We respond to all requests we receive from users in accordance with applicable data protection laws. We may ask you to provide proof of identity before we can answer the above requests. In some cases, we may reject requests for certain reasons (for example, if the request is unlawful or if it may infringe on trade secrets or intellectual property or the privacy of another individual). The reason for rejection of the request will be communicated within one calendar month after the request is made.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.
We try to respond to all legitimate requests within one calendar month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Please note that in some cases, if you do not agree to the way we process your information, it may not be possible for us to continue to operate your account and/or provide certain products and services to you.
Updates
Effective 01st October 2025 we have updated our privacy notice to comply with the new Data Use and Access Act 2025. This legislation enhances your rights regarding your personal data and introduces new requirements for how we collect, use and share your information.
Key updates:
Data Access Rights – You now have the right to request access to the personal data we hold about you, including information on how it is being used and shared
Data Portability – You can request that your data be transferred to another service provider in a structured, commonly used, and machine-readable format
Increased Transparency – We are committed to providing clearer information about our data practices, including the purposes for which your data is collected and how long it will be retained.
Enhanced Security Measures – We have implemented additional security protocols to protect your data against unauthorised access and breaches
Opt-Out Options – You now have greater control over your data, including options to opt-out of certain data processing activities
As you interact with our website, we will automatically collect data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies. Please see our cookie notice below for further information on how we use cookies and similar technology.
This Cookie Notice was last revised on October 15 2025.
This notice ("the Cookie Notice") applies to all information we collect, use and process about you while browsing our website or accessing your personal account with us.
"Cushon" is a trading name of the group of companies owned by Cushon Holdings Limited ("the Cushon Group"). Cushon Holdings Limited is a company registered in England and Wales with company number 14213564.
More information about the Cushon Group can be found on our website at www.cushon.co.uk.
In this notice, references to "we", "us" or "our" are references to one or more companies in the Cushon Group. Our address is 250 Bishopsgate, London, England, EC2M 4AA and our Data Protection Officer can be contacted at dpo@cushon.co.uk.
Depending on how you use of our website, one or more of the below Cushon Group companies will be the relevant data controller in respect of personal information that we process about you in connection with our website:
Cushon Group Limited - a company registered in England and Wales with company number 10967805
Cushon Money Limited - a company registered in England and Wales with company number 11112120
We respect individuals' rights to privacy and to the protection of personal information. As you interact with our website, we will automatically collect data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies and other similar technologies.
This Cookie Notice contains information regarding what type of cookies we might place on your device when browsing our website and how we use them. You can find further information on how we process your personal data in our Privacy Notice.
A cookie is a small piece of data (text file) that a website stores on your device in order to remember information about you, such as your language preference or login information. Cookies are not stored on your device unless you provide your consent. Those cookies are set by us and called first-party cookies. We also use third-party cookies - which are cookies from a domain different from the domain of the website you are visiting - for advertising and marketing purposes.
We use cookies and other tracking technologies for different purposes, including providing and improving our services, ensuring our website is secure, and recognising you when you visit our website. Additionally, some cookies might collect information about your browsing history or purchasing behaviour when you access our website, including information about pages viewed, products purchased, and your journey around the website.
We do not use cookies to collect or record information such as your name, address, or contact details.
UK privacy regulations require that your consent is obtained for the use of all cookies except those that are necessary for the site to provide you with information and services you request (so-called "strictly necessary cookies").
Below in section 5 of this Cookie Notice is a detailed list of the cookies that may be used by our site if you choose to allow cookies.
We use the following cookies:
Necessary cookies. These cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.
Analytics cookies. This is a set of tools used to collect and analyse anonymous usage information, enabling us to better understand how our site is used and to improve our website and the products and services offered through it.
Communication cookies. These cookies enable us to offer immediate support if you need it. The webchat service use cookies to gather the required information.
Marketing cookies. These cookies are to help us improve the relevancy of personalised advertising campaigns you receive. If this box is unchecked, you will still see adverts but they may not be relevant to your interests.
The length of time that a cookie remains on your computer or mobile device depends on whether it is a "persistent" or "session" cookie. Session cookies last until you stop browsing and persistent cookies last until they expire or are deleted. Most of the cookies we use are persistent and will expire at a point between 30 minutes and two years from the date they are downloaded to your device.
Before cookies are placed on your computer or device, you will be shown a pop-up requesting your consent to set those cookies. By giving your consent to the placing of cookies you are enabling us to provide the best possible experience and service to you.
You may, if you wish, deny consent to the placing of cookies. However, certain features of our website may not function fully or as intended when consent is denied.
Certain features of our website depend on strictly necessary cookies to function. Your consent will not be sought to place these cookies, but it is still important that you are aware of them. You may still block these cookies by changing your internet browser's settings. Please be aware that our website may not work properly if you do so.
You can choose to delete cookies on your computer or device at any time, however you may lose any information that enables you to access our website more quickly and efficiently including, but not limited to, login and personalisation settings.
It is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.
You can also choose to enable or disable cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third-party cookies. For further details, please consult the help menu in your internet browser.
This Cookie Notice may be amended from time to time, the latest version of the Cookie notice will always be available on our website.
Data Access Rights – You now have the right to request access to the personal data we hold about you, including information on how it is being used and shared
Data Portability – You can request that your data be transferred to another service provider in a structured, commonly used, and machine-readable format
Increased Transparency – We are committed to providing clearer information about our data practices, including the purposes for which your data is collected and how long it will be retained.
Enhanced Security Measures – We have implemented additional security protocols to protect your data against unauthorised access and breaches
Opt-Out Options – You now have greater control over your data, including options to opt-out of certain data processing activities
We may update this Privacy Notice periodically. Where we do this we will inform you of the changes, and the date on which the changes take effect, and publish the updated Privacy Notice on our website. We would encourage you to visit our website regularly to stay informed of the purposes for which we process your information and your rights to control how we process it.
If you have questions regarding your privacy and rights, please contact us:
Address: 250 Bishopsgate, London, England, EC2M 4AA