Privacy Notice

This Privacy Notice explains what personal data we collect when you use FundManager.co.uk, why we collect it, who we share it with, how long we keep it, and the rights you have over it. Please read it carefully. By using the site you confirm you have read and understood this notice.

1. Who we are

FundManager.co.uk is operated by Bermudex Labs Limited, a company registered in England and Wales, whose registered office is 66 Paul Street, London, EC2A 4NA.

For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), Bermudex Labs Limited is the data controller for the personal data described in this notice.

If you have any questions about this notice or how we handle your data, please get in touch via our contact form.

2. What information we collect

2.1 Account information

When you register an account we ask for:

• Your email address (used as your login)
• Your first and last name
• A password (stored only as a one-way hash — we never see your plain password)

You may also choose to add further details to your profile, such as marketing preferences. These additions are optional.

2.2 Activity and usage data

While you are signed in we keep a record of what you do on the site so we can show it back to you and improve our service. This includes:

• The watchlists and portfolios you create, and the stocks you add to them
• Reports, filters, and views you select
• The pages you visit and approximate timings, for analytics purposes

2.3 Technical data

We log technical information automatically when you visit the site, including:

• Your IP address
• Browser type and version, operating system, and device type
• Date and time of access, and pages visited
• Referrer URL (the page you arrived from)

This data is collected for security, fraud prevention, debugging, and aggregate analytics.

2.4 Communications

If you contact us through the contact form, by email, or via support channels, we'll keep a record of that correspondence.

3. Why we collect it (and our legal basis)

Under UK GDPR we must have a lawful basis for processing your personal data. The bases we rely on are:

3.1 Performance of a contract

To provide you with an account, deliver the features you've signed up for, and keep your watchlists and portfolios available between sessions.

3.2 Legitimate interests

To run, secure, and improve the site. This covers analytics, fraud prevention, debugging, and understanding how the site is used so we can make it better. We balance these interests against your rights and freedoms; if you're not comfortable with any of this processing, you can object — see section 8.

3.3 Consent

For optional things like newsletters, marketing emails, and non-essential cookies. You can withdraw consent at any time without affecting the service itself.

3.4 Legal obligation

Where we have to retain or disclose data to comply with the law, regulator requests, or court orders.

4. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the site is used.

4.1 Strictly necessary cookies

These are required for the site to work — for example, the session cookie that keeps you signed in, and the CSRF token cookie that protects forms from cross-site request forgery. You cannot opt out of these without breaking core functionality.

4.2 Functional cookies

These remember your preferences, such as your default portfolio or your selected watchlist view. They expire after up to 30 days.

4.3 Analytics cookies

We use Google Analytics to understand aggregated traffic patterns. Google Analytics sets its own cookies; please refer to Google's Privacy Policy for details. You can opt out of Google Analytics tracking using Google's opt-out browser add-on.

4.4 Cookie banner

The first time you visit the site we show a cookie banner where you can accept or reject non-essential cookies. Your choice is stored in your browser's local storage so we don't ask again on the same device.

5. Who we share data with

We don't sell your personal data. We share it only with the third parties listed below, and only to the extent needed to deliver the service.

• Hosting and infrastructure providers — to host the site and database.
• Email delivery providers — to send transactional emails (registration, password resets) and, where you've opted in, marketing emails.
• Analytics providers — Google Analytics, in aggregated and pseudonymised form.
• Market data providers — we use third-party data sources such as Alpha Vantage to obtain stock and fund data. Your personal data is not shared with these providers; only anonymous queries are made.
• Law enforcement and regulators — where we are required by law to disclose data.

Where any of these providers are based outside the UK, we ensure appropriate safeguards are in place (such as the UK International Data Transfer Agreement or adequacy decisions) before personal data is transferred.

6. How long we keep your data

• Account data — for as long as your account is active, plus a short period after closure to handle any final disputes or legal requirements (typically up to 6 years to align with statutory limitation periods).
• Activity data — for the duration of your account; anonymised after closure.
• Technical logs — typically 90 days for security and debugging purposes.
• Marketing preferences — until you change or withdraw them.
• Correspondence — for up to 3 years after the matter is closed.

You can ask us to delete your account at any time — see section 8.

7. How we protect your data

We take security seriously and use industry-standard measures to protect your data:

• Passwords are stored as one-way salted hashes (we never see them in plain text).
• Connections to the site are encrypted in transit using HTTPS / TLS.
• Forms are protected against cross-site request forgery using per-session CSRF tokens.
• Administrative access is restricted by IP allow-listing.
• Database access is limited to authorised systems and personnel.

No system is perfectly secure. If you become aware of a security issue with the site, please report it to us through the contact form and mark your message as a security report.

8. Your rights

Under UK GDPR you have the following rights over your personal data:

• Right to be informed — about how your data is used (this notice).
• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate data corrected.
• Right to erasure — to have your data deleted (the "right to be forgotten").
• Right to restrict processing — to ask us to limit how we use your data.
• Right to data portability — to receive your data in a machine-readable format.
• Right to object — to processing based on legitimate interests, including direct marketing.
• Rights related to automated decision-making — we don't make solely automated decisions that have legal or significant effects on you.

To exercise any of these rights, please use our contact form. We aim to respond within one calendar month.

You can also delete your account directly from your profile page, which will erase or anonymise your personal data subject to any legal retention obligations.

9. Complaints

If you're unhappy with how we've handled your data, please get in touch with us first so we can try to resolve the issue. You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office:

• Website: ico.org.uk
• Helpline: 0303 123 1113

10. Children

FundManager.co.uk is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us so we can delete it.

11. Changes to this notice

We may update this Privacy Notice from time to time. The "Last updated" date at the top of the page will reflect the most recent change. Where the changes are significant we'll let you know by email or by a prominent notice on the site. Please check back periodically.