Privacy Policy

1. Data controller and contact

The data controller is AssetCraft Ltd., 12 Baker Street, London, W1U 3BH. We determine the purposes and means of processing personal data for this site. You can reach our team at [email protected] or by phone at +44 20 3974 1810. For rights requests, questions about this policy, or concerns about data use, please write to our dedicated privacy inbox at [email protected]. If you prefer postal mail, address your letter to Privacy Officer, AssetCraft Ltd., 12 Baker Street, London, W1U 3BH. We respond to verified requests as soon as possible and within the timelines required by UK GDPR.

2. What personal data we collect

We collect only the data that is necessary for education delivery, site performance, and compliance. The categories are: identification data such as full name if you submit a form. Contact details such as email address and optional phone number when provided. Technical data including IP address, device type, operating system, browser type and version, screen resolution, and basic locale settings. Usage data such as pages visited, time on page, referring pages, scroll depth, and clicks on site elements. Cookie and similar identifiers that remember preferences and measure aggregated performance. Communications data including your messages to us, support history, and records of consent or objection. We do not collect special category data like health, religion, or biometric identifiers. We do not seek financial account numbers. If you include sensitive information in a free text field, we will delete it and advise you not to send such data.

3. How we collect data

We collect data through forms that you choose to submit, such as the newsletter form on our homepage and any rights request form on this page. We also use cookies and similar technologies to remember consent choices and to run privacy-respecting analytics after consent. Server logs capture IP address, user agent, and request metadata to secure the site and troubleshoot errors. If you enrol in a course, we collect the minimum information needed to create your account and deliver materials. We may use analytics tools such as Google Analytics 4 configured with IP anonymisation and data retention controls. If you consent to marketing cookies, we may use Meta Pixel for measurement and audience analytics aligned with your preferences. We do not buy data from brokers. We do not combine browsing data with third-party profiles. All collection methods are disclosed in this policy and controlled via the cookie banner on this site.

4. Legal bases for processing

We rely on the legal bases set out in UK GDPR Article 6. Consent, Article 6(1)(a): for newsletters, optional cookies, and marketing measurement. When you tick a box or click Accept on our banner, consent is recorded and can be withdrawn at any time. Contract, Article 6(1)(b): to provide requested educational content that requires an account, such as course access, and to send transactional messages about your enrolment. Legitimate interests, Article 6(1)(f): to run core site functions, prevent fraud, maintain security, and understand aggregate site performance. We perform a balancing test to ensure our interests do not override your rights. Legal obligation, Article 6(1)(c): to keep records required by law, respond to authorities, or comply with court orders. Vital interests, Article 6(1)(d): only where needed to protect an individual’s vital interests, which we do not expect in the normal operation of this site.

5. Purposes of processing

We process data for specific purposes. Service delivery: to operate the website, provide calculators, and deliver course content where applicable. Communication: to respond to your messages, send requested newsletters, and inform you about material policy changes. Analytics: to understand which pages are useful, improve navigation, and fix usability problems. Personalisation: to remember cookie choices and interface preferences like accessibility settings. Security and fraud prevention: to detect abusive behaviour, limit spam submissions, and protect accounts. Compliance: to maintain opt out lists, consent logs, and records that demonstrate accountability. Marketing, with consent only: to measure campaign effectiveness and show relevant educational offerings. We never use personal data for automated decision making that produces legal or similarly significant effects on you.

6. Retention periods

We keep data only as long as needed for the purposes described. Form submissions that are not linked to an account are stored for up to 2 years to manage follow ups and audit trails. Newsletter mailing list data is retained until you unsubscribe plus 30 days for suppression and record keeping. Analytics data configured in GA4 is retained for up to 14 months. Server logs that contain IP addresses are kept for up to 90 days unless needed to investigate a security incident. Course account data is retained while the account is active and for up to 24 months after inactivity or closure to support re-activation and legal requirements. Cookie consent records are kept for up to 24 months. When retention periods end, data is deleted or irreversibly anonymised using secure methods. Backup copies are overwritten on a rolling schedule.

7. Data sharing and processors

We do not sell personal data. We share data with carefully selected service providers that help us run this site. Typical processors include a hosting provider and content delivery network to serve pages securely. An email service provider to send newsletters and manage unsubscribes. A form handling or help desk tool to route support messages. An analytics provider for aggregated usage statistics, such as Google Analytics 4. If you purchase a course, a payment processor handles your transaction details. Each processor is bound by a contract that limits processing to our instructions, mandates confidentiality, and requires appropriate technical and organisational measures. If we are legally compelled to disclose information to public authorities, we will verify the request and provide only what is required by law.

8. International transfers

Some processors may store or access data outside the UK and EEA. Where international transfers occur, we implement appropriate safeguards. These include Standard Contractual Clauses approved by the European Commission or the UK International Data Transfer Addendum. When a transfer is to a country covered by an adequacy decision, we rely on that decision. We assess vendor practices and security controls before onboarding and maintain records of transfer mechanisms. You can request details about specific transfer safeguards associated with your data by contacting [email protected].

9. Your rights

Under UK GDPR you have several rights. Right of access: you can request a copy of the personal data we hold about you. Right to rectification: you can ask us to correct inaccurate or incomplete information. Right to erasure: you can ask us to delete personal data where it is no longer needed or where you withdraw consent. Right to restrict processing: you can request that we limit processing while we review a concern. Right to data portability: you can request a copy of your data in a structured, commonly used format for transfer to another service. Right to object: you can object to processing based on legitimate interests and to direct marketing at any time. Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing. To exercise any right, email [email protected] and describe your request and the email address you used with us. We may ask for reasonable verification to protect your account and data.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office if you are not satisfied with our response. We would appreciate the chance to address your concerns first. Contact details for the supervisory authority are available on the ICO website. Nothing in this policy limits your statutory rights.

10. Cookies and similar technologies

Cookies are small files stored on your device that help the site function and measure usage. We use three categories. Strictly necessary cookies: required for core features like security, cookie consent storage, and load balancing. These are always active and typically expire within 12 to 24 months, or at the end of your session for temporary cookies. Analytics cookies: used to understand aggregated behaviour, such as which guides are most helpful. These run only after you click Accept on the banner and typically have a lifespan of 1 to 14 months, aligned with our analytics retention settings. Marketing cookies: optional and used to measure campaign effectiveness if we run ads on platforms like Meta. These are off by default and set only with consent. You can manage preferences at any time using the Manage Cookies link in the footer or by clearing cookies in your browser. Declining optional cookies will not limit access to core content such as our guides and calculators.

We respect signals from the cookie banner stored in your browser. If you reject analytics or marketing cookies, we configure our tools to avoid setting them. When available, we enable privacy controls such as IP masking, domain-level consent mode, and reduced data sharing. We do not use web beacons or fingerprinting to circumvent your preferences. Our cookie banner stores your choice in local storage so that we can remember it on subsequent visits. You can revisit your decision by selecting Manage Cookies in the site footer.

11. Children’s privacy

Our content is intended for adults and older students who are interested in financial literacy. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal information without appropriate consent, please contact [email protected] and we will take steps to delete the information promptly. Educators and parents who wish to use our public guides can do so without creating accounts or submitting personal data. Accounts and email subscriptions should be created only by individuals who meet the applicable age requirement in their location or by a parent or guardian on their behalf where lawful.

12. Security

We apply appropriate technical and organisational measures to protect personal data. These include encryption in transit, strict access controls based on role, monitoring for suspicious activity, regular dependency updates, and periodic vendor risk reviews. We design forms to collect the least amount of data required. Staff receive guidance on handling personal data and reporting any suspected incident. No online service can claim perfect security. We commit to investigating issues, notifying affected users where required, and improving controls based on lessons learned. If you discover a vulnerability, please email [email protected] with steps to reproduce so that we can investigate responsibly.

13. Policy updates

We review this Privacy Policy to ensure it remains accurate and aligned with our practices and legal requirements. When we make material changes, we will update the Last Updated date at the top of this page and display a notice on the website. If changes affect how we process your data for consent based activities, we will request fresh consent where required. We encourage you to revisit this page from time to time to stay informed about our privacy approach.

If you disagree with updates, you can withdraw consent for optional processing and request deletion of your data where applicable. Continued use of the site after changes take effect indicates that you have read the revised policy. This policy is effective as of the date shown and supersedes earlier versions.

15. Additional information for UK residents

AssetCraft Ltd. operates under the UK GDPR and the Data Protection Act 2018. Our lawful bases, processing purposes, and user rights are described above. If you wish to raise a concern with the supervisory authority, you may contact the Information Commissioner’s Office. We are committed to fair and transparent processing and will work to resolve any concern directly. If we introduce new features that materially change how we use personal data, this policy will be updated and you will be informed via a site notice or email if you are a subscriber.