Privacy Policy
Introduction & Scope
Threadneedle Partners is committed to protecting personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines how we collect, use, and safeguard personal information. It applies to all personal data handled by Threadneedle Partners in the UK and EU, including data of UK/EU-based data subjects, and reflects our obligations under UK and EU data protection law (where applicable).
We act as the data controller for personal data we collect in providing our services, which means we determine the purposes and means of processing. We take privacy seriously and implement appropriate measures to protect personal data, in accordance with the fundamental principles of lawfulness, fairness, and transparency.
Personal Data We Collect
We collect personal data necessary to operate our expert network and provide services to our clients. This may include identification and contact information (e.g. name, email, phone, job title, business address), professional details (e.g. areas of expertise, employment history for experts), and communication records (e.g. emails or call notes). If you are a client or expert, we may also record account and billing information for contract and payment purposes.
We obtain this information directly from you or, in some cases, from third parties with your consent or as permitted by law (for example, a client may provide an expert’s contact details for a consultation). We do not collect sensitive personal data (such as health or racial information) unless absolutely necessary and with appropriate safeguards.
How We Use Personal Data
Threadneedle Partners uses personal data only for legitimate business purposes, such as:
• Providing and managing services: Scheduling expert consultations, panels, and projects; facilitating communication between clients and experts; and ensuring any agreed deliverables are met.
• Client and expert administration: Maintaining user accounts, processing payments, and handling contracts or NDAs.
• Communication: Sending service-related updates or information you request, and (with your permission) occasional marketing about new services or events.
• Legal and compliance: Fulfilling contractual obligations, complying with legal requirements, resolving disputes, and enforcing agreements.
We ensure that each use of personal data has a proper legal basis under data protection law (for example, performance of a contract, our legitimate interests in business administration, or obtaining consent for optional marketing).
We do not use personal data for any new, incompatible purpose without updating this policy and, if required, obtaining your consent. We also do not engage in automated decision-making or profiling that has legal or similarly significant effects on individuals.
Data Sharing & Disclosure
We share personal data only when necessary and with appropriate safeguards. In particular:
• With clients and experts: Experts’ profiles (e.g. name, role, expertise) may be shared with prospective clients for consultation opportunities, and vice versa, on a need-to-know basis and typically with the individual’s knowledge.
• Service providers: We may use trusted third parties to support our operations (e.g. cloud hosting, IT support, payment processors). These providers are bound by contracts to process data securely and only according to our instructions, in compliance with UK/EU data protection requirements.
• Legal or regulatory: If required by law or regulation, or to protect our rights (e.g. responding to lawful requests by authorities or meeting financial auditing obligations), we may disclose relevant data. We will ensure any request is valid and necessary.
We never sell personal data to third parties, and we do not share personal data with third parties for their own marketing or unrelated purposes without your explicit consent.
If we need to share personal data for any other purpose, we will explain this at the time and, if required, obtain consent. All third parties who receive personal data from us are obligated to protect it to the standards set out in this policy and applicable law.
International Data Transfers
As a UK-based company working with EU experts and US clients, personal data may be transferred internationally. In cases where we transfer data from the UK or EU to a country outside of those jurisdictions (for example, to the United States), we ensure that adequate safeguards are in place to protect the data. This includes using Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement, along with conducting Transfer Risk Assessments (TRAs), to verify that the data will have an equivalent level of protection.
We will only transfer personal information when it is necessary (e.g. an expert’s contact details to a US-based client for a scheduled call) and ensure any recipient outside the UK/EU is contractually bound to protect your data. If a suitable safeguard (such as an adequacy decision or SCCs) is not in place, we will either obtain your explicit consent or refrain from transferring the data.
Please note that the privacy laws in other countries may not be identical to those in the UK/EU. However, our safeguards (and any supplementary measures we adopt as needed) ensure that your rights and protections travel with your data.
Data Security Measures
We protect personal data with robust technical and organizational measures. Threadneedle Partners follows industry best practices and aligns with the UK Cyber Essentials security framework to guard against unauthorized access, alteration, or loss of personal data. Key measures include:
• Access controls: Personal data is accessible only by staff and contractors who need it to perform their duties, each with unique credentials and strictly limited permissions. Multi-factor authentication is used for sensitive systems.
• Encryption & secure configuration: We encrypt data in transit and at rest wherever feasible (e.g. SSL/TLS for our website, secure cloud storage). Systems and devices are securely configured and monitored for vulnerabilities.
• Endpoint security & malware protection: Devices and cloud services are equipped with up-to-date antivirus/anti-malware tools and threat detection systems. We employ allow-listing and other protections to block untrusted software.
• Patch management: We promptly install security updates for our systems and software, keeping them current to address known vulnerabilities in line with Cyber Essentials guidance.
• Physical and organizational security: We use appropriate physical security controls, and staff are trained regularly on data protection and cybersecurity. We maintain device use and incident response policies to identify and address data breaches swiftly.
No system can be 100% secure, but in the unlikely event of a data breach that risks your rights or freedoms, we will notify you and relevant authorities (such as the ICO) as required by law.
Data Retention
We retain personal data only as long as necessary to fulfill the purposes outlined in this policy or as required by law or regulation:
• Operational data (e.g. contact details, project records) is kept while you remain an active client or expert in our network. We regularly review the data we hold and delete or anonymize information no longer needed.
• Legal and compliance data (e.g. contract records, payment history) may be kept longer to meet tax, accounting, or other legal obligations, but will be archived and securely protected when not in active use.
• Prospective client/expert data (e.g. an expert profile or client inquiry) is kept for a limited time (typically no more than 12 months) unless we have ongoing consent to hold it.
When data is no longer needed, we securely delete or render it anonymous. Backups and archives are also subject to deletion policies, though complete removal from all systems may take additional time. Any third parties processing data on our behalf must also comply with our retention and deletion practices.
Your Rights as a Data Subject
Under UK/EU data protection law, individuals have rights regarding their personal information, including:
Right of access: Obtain a copy of your personal data
Right to rectification: Correct inaccurate data
Right to erasure (“right to be forgotten”)
Right to restrict processing
Right to data portability (where processing is based on consent or contract)
Right to object to certain processing (such as direct marketing)
Rights related to automated decision-making (we do not currently engage in automated profiling)
These rights are subject to certain limitations— for example, we may not erase data that we are legally required to retain. We will assess and respond to any request. You can exercise your rights at any time by contacting us (see “Contact Us” below). We will respond promptly (normally within one month) in accordance with the law.
If you have consented to particular processing activities (e.g. receiving marketing emails), you can withdraw that consent at any time by contacting us or using the unsubscribe link in such communications. Withdrawing consent does not affect the lawfulness of prior processing.
Contact Us & Complaints
If you have any questions, concerns, or requests about this Data Protection & Privacy Policy or how we handle your personal data, please contact us:
Email: info@threadneedlepartners.com
Address: Threadneedle Partners, 7 Bell Yard, London, UK
We take all privacy queries seriously and will do our best to address your concerns. If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). If you are based in the EU, you may contact your local data protection authority.
Policy Updates
We may update this Data Protection & Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any significant changes will be communicated to staff and, where appropriate, to clients or experts. The “last updated” date below will always indicate the latest revision. We encourage you to review this policy periodically to stay informed about how we protect your data.