This policy explains how AfFord Financial Advisory collects, uses, stores and protects your personal data when you visit our website, enquire about our services, or become a client. We are committed to protecting your privacy and handling your information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all related guidance issued by the Information Commissioner's Office (ICO).
Who we are
AfFord Financial Advisory ("we", "us", "our") is the data controller for the personal information we hold about you. We are an independent financial advisory firm based in London, United Kingdom.
We are authorised and regulated by the Financial Conduct Authority (FCA). Our entry on the FCA Register, including our firm reference number, is available at register.fca.org.uk.
We are registered with the Information Commissioner's Office (ICO) as a data controller in accordance with the Data Protection Act 2018.
Personal data we collect
Depending on how you interact with us, we may collect the following categories of personal data:
Identity & contact data
- Full name, title, date of birth and nationality
- Address (current and previous), email address, telephone numbers
- Identity verification documents (passport, driving licence, proof of address)
- National Insurance number and tax residency
Financial & advisory data
- Income, expenditure, assets, liabilities and net worth
- Employment status, occupation and employer details
- Existing pensions, investments, insurance policies and savings
- Financial goals, attitudes to risk, and capacity for loss
- Banking details for fee collection
Sensitive (special category) data
- Health information — only where relevant to protection or annuity advice
- Information about dependants or vulnerable circumstances where this affects suitability
Technical & website data
- IP address, device type, browser, operating system
- Pages visited, time spent, referral source
- Cookie identifiers (see Section 9)
We collect this data directly from you (forms, meetings, calls, secure messaging), from third parties you have authorised (existing pension or investment providers, accountants, solicitors), and automatically through your interaction with our website.
How we use your data
We use your personal data to:
- Respond to your enquiries and assess whether we can help
- Provide regulated financial advice and ongoing planning services
- Carry out anti-money laundering (AML) and identity checks required by law
- Prepare suitability reports, recommendations, and review documentation
- Communicate with product providers, custodians and platforms on your instruction
- Manage our client relationship, including billing and complaint handling
- Meet our regulatory record-keeping obligations under FCA rules
- Send you newsletters or relevant updates — only where you have opted in
- Improve our website and services
Lawful basis for processing
Under UK GDPR we must have a lawful basis for processing your data. The bases we rely on are:
| Basis | When we use it |
|---|---|
| Contract | To provide the advisory services you have engaged us for, including all client onboarding, suitability work and ongoing reviews. |
| Legal obligation | To comply with FCA rules, AML/KYC laws, tax reporting obligations and HMRC requirements. |
| Legitimate interests | To respond to enquiries, manage our business, prevent fraud, and improve our services — balanced against your rights. |
| Consent | For marketing communications, optional cookies, and the processing of certain special category data. |
| Vital interests | In rare cases where processing is necessary to protect someone's life. |
For special category data (such as health information), we additionally rely on your explicit consent or, where applicable, the substantial public interest condition under Schedule 1 of the Data Protection Act 2018.
Sharing your data
We do not sell your personal data. We share it only where necessary, including with:
- Product providers — pension, investment, insurance and platform providers we recommend
- Regulators — the Financial Conduct Authority, HMRC, the ICO, and the Financial Ombudsman Service where required
- Professional advisers — your accountant, solicitor, or tax adviser, where you have asked us to liaise
- Service providers — secure cloud storage, CRM platforms, AML verification services, professional indemnity insurers, and IT support, all bound by data processing agreements
- Successors — in the event of a sale, merger or transfer of our business, subject to safeguards
Every third party we share your data with is required to handle it in accordance with UK GDPR and our written instructions.
How long we keep your data
FCA rules require regulated firms to retain client records for set minimum periods. Our retention principles are:
| Record type | Retention period |
|---|---|
| Client suitability and advice records | Indefinitely, or for the lifetime of the product (FCA requirement) |
| Pension transfer advice | Indefinitely |
| AML/KYC verification records | 5 years from end of business relationship |
| Marketing consent & preferences | Until you withdraw consent |
| Website enquiry forms (no engagement) | 2 years |
| Financial transaction records | 6 years (HMRC requirement) |
| Complaint records | 3 years from resolution |
After the applicable retention period, your data is securely deleted or anonymised.
International transfers
We primarily process your data in the United Kingdom and the European Economic Area (EEA). Where any of our service providers process data outside these regions, we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or transfer to a country covered by an adequacy decision.
Security
We take the protection of your data extremely seriously. Measures include encrypted client portals, multi-factor authentication on all client systems, restricted access on a need-to-know basis, regular security testing, encrypted backups, and a documented incident response procedure.
While we use industry-standard security, no transmission over the internet is ever 100% secure. We urge you to use our secure portal — not unencrypted email — for sharing sensitive financial information.
Cookies & tracking
Our website uses a small number of cookies. These fall into the following categories:
- Strictly necessary — required for the site to function (no consent required under PECR)
- Analytics — help us understand how visitors use the site (only with your consent)
- Functional — remember preferences such as cookie consent choices
We do not use advertising or social-media tracking cookies. You can manage cookie preferences at any time through your browser settings or our cookie banner.
Your rights
Under UK GDPR you have the following rights, exercisable free of charge:
- Right of access — obtain a copy of the personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — ask us to delete your data, where regulatory rules permit
- Right to restrict processing — limit how we use your data in certain circumstances
- Right to data portability — receive your data in a structured, commonly used format
- Right to object — object to processing based on legitimate interests, including direct marketing
- Rights related to automated decision-making — we do not use solely automated decision-making
- Right to withdraw consent — where processing is based on consent
Some rights are not absolute — for example, FCA record-keeping rules may prevent us from deleting client advice files. We will explain clearly if any limitation applies to your request.
To exercise any right, contact us using the details in Section 14. We will respond within one calendar month.
Marketing communications
We will only send you marketing communications — such as newsletters, market updates, or invitations to events — if you have given us your consent or are an existing client and have not opted out.
Every email contains an unsubscribe link, and you can opt out at any time by emailing us. Withdrawing consent does not affect the lawfulness of any processing carried out before that point.
Complaints & the ICO
If you are unhappy with how we have handled your personal data, please contact us first so we have the opportunity to put things right. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113 · ico.org.uk
Changes to this policy
We review this policy regularly and may update it from time to time to reflect changes in law, regulation, or our practices. The "Last updated" date at the top of the page indicates when the policy was last revised. Significant changes will be notified to existing clients directly.
Contact us
For any questions about this policy, your data, or to exercise any of your rights, please contact:
Data Protection Lead, AfFord Financial Advisory
Email: privacy@affordadvisory.com
Post: AfFord Financial Advisory, London, UK