Third Party Privacy Notice

1. Important information and who we are

This Privacy Notice describes how we collect and process personal data of our investors, suppliers, business contacts/“friends” of Monument, and research participants. It also describes how that information may be used or disclosed by us to other third parties and the safeguards we use to protect it. Some of the parties that we work with may collect your personal data in their capacity of data controller. We therefore ask you to review such third parties’ privacy statements, typically available on their official websites, to understand their information practices.

When you provide your personal data to us, you agree to the collection, use and disclosure of information in accordance with this Privacy Notice.

This Privacy Notice was last updated on 16 November 2023 and it may change from time to time, so please check this page periodically for updates, as any changes may become effective immediately. We will assume that you accept any changes unless you tell us otherwise.

We use cookies and similar technologies on our Website, so please ensure you have read our Cookie Policy.

Please also review our Website Terms which set out the terms on which we allow use of our Website and also the applicable disclaimers and limitations of liability.    

If you have any questions about this Privacy Notice or any of our privacy practices, the personal data we hold, or you would like to exercise one of your legal rights in relation to personal data, please do not hesitate to contact us.

Find out more about the ways to contact us here.

If you have a complaint about how we use personal data we will do our best to fix the problem. If you are still not happy, you can refer your complaint to a data protection supervisory authority in the EU, country you live or work, or where you think a breach has happened. The UK’s supervisory authority is the Information Commissioner’s Office (ICO). For more details, you can visit their website at

Find out more about our complaints process here.

For the purposes of data protection laws, the data controller is Monument Bank Limited, company number 10921940, and we have our registered office at 33 Cavendish Square, London, W1G 0PW. Monument Bank Limited is registered as a data controller with the Information Commissioner’s Office (ICO) under registration number ZA475288.

2. What we may collect

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, last name, username or similar identifier. When you email, phone, WhatsApp, Skype or otherwise communicate with us, we may collect information such as your first name, last name, email address and phone number.
  • Contact Data includes email address, telephone numbers and any other electronic communication id (e.g. Skype I.D.). Financial Data includes bank account details.
  • Profile Data includes your username and password, your interests, preferences, feedback and survey responses.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Third Parties and information we receive from other sources. We work closely with third parties (including, for example, business partners, suppliers, sub-contractors, analytics providers, and search information providers) and may receive information about you from them.

Where we collect special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) and it is necessary to do so for our business, we will obtain your specific consent, unless we have another lawful basis to process such special categories of personal data, such as our legal obligation. We normally process data on criminal records, PEP (politically exposed person) information and sanctions data if it is relevant as part of our due diligence processes, similar to “know your customer” (KYC) and to confirm your identity (copies of identity documents). We normally process such data on the basis of legal obligation where we are required to do so by law or, where relevant, with your consent.

Under data protection laws we will ensure that your personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights. We will only process your personal data if at least one of the following bases applies:

  • You have given consent to the processing of your personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which you are a party or in order to take steps at the request of you prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which we are subject;
  • processing is necessary to protect the vital interests of you or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or
  • processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

If we receive personal data from you about another data subject in the course of providing our services to you, we expect you to have complete responsibility for ensuring that the contents of this Privacy Notice are brought to the data subject’s attention and you have obtained their consent in the process.

In some instances, it may be appropriate for us to combine your information with other information that we may be holding about you, such as combining your name with your geographic location.

We process personal data in relation to the following categories of data subjects (excluding colleagues and job candidates, where a separate privacy notice is applicable):

Investors - personal and business contact details, including names, telephone number, email address, personal address, copies of identity documents including passport and address documents for individuals such as directors and ultimate beneficial owners and trustees, as well as bank account details.

  • Purposes: to be able to provide information about our company and the details of any potential or actual investment; to be able to perform due diligence; to be able to contact these data subjects to arrange provision of share certificates and investor updates. Bank account details are required to make payments.
  • Lawful basis: as necessary to provide our service/ contract, or pre-contractual steps, or as may be necessary for us to comply with our legal obligations.

Suppliers - contact details in the business capacity, including email address and telephone number.

  • Purposes: as may be necessary to take pre-contractual steps, enable us to provide information about our business and to gather information about supplier services to engage contractually; to manage contracts and communicate with suppliers regarding contracts.

Lawful basis: contract/ pre-contractual steps.

Business contacts/“Friends” of Monument - personal (in the business capacity) and business contact details, including names, telephone number, email address, personal address.

  • Purposes: to enable us to provide updates on developments within Monument.
  • Lawful basis: legitimate interests of both Monument and data subjects.
  • The legitimate interest of Monument is to inform these individuals in their business capacity about developments within Monument and services that Monument offers. The data subjects’ legitimate interest is to be able to receive information that Monument believes may be relevant to the data subjects in their business capacity.
  • The collection and processing of the categories of personal data mentioned in this paragraph are necessary in order to inform data subjects about developments within Monument.
  • Contact information is obtained from individuals in their business capacity and the details this Privacy Notice and an opportunity to unsubscribe will be provided with every communication.

Research participants– personal (in the business capacity) and business contact details including names, telephone numbers and email addresses only.

  • Purposes: to send out regular surveys to gather feedback from our target customer market.
  • Lawful basis: consent.

3. How we may collect and use your personal data

We (or third-party data processors, agents and sub-contractors acting on our behalf) may collect, store and use your personal data by way of different methods to collect data from and about you including through:

Direct interactions. You may give us your information by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

  • attend any of our events;
  • use any of our services;
  • invest with us;
  • subscribe to our services or publications;
  • request marketing to be sent to you;
  • enter a competition, promotion or survey; or
  • give us some feedback.

In addition to the above, we may use the information in the following ways:

  • To allow us to deliver the type of content and product offerings in which you are most interested.
  • To administer a contest, promotion, survey or other feature.
  • If you have opted-in to receive our e-mail newsletter, we may send you periodic emails. If you would no longer like to receive promotional e-mail from us, please refer to Section 6 “Your Rights” below. If you have not opted-in to receive e-mail newsletters, you will not receive these e-mails.
  • Provide information, and services that you request, or (with your consent) which we think may interest you.
  • Carry out our contracts with you.
  • Provide the relevant services to you.

If you don't want us to use your personal data for any of the other reasons set out in this Section 3, you can let us know at any time by contacting us at and we will delete your data from our systems. However, you acknowledge this will limit our ability to provide the best possible services to you.

In some cases, the collection of personal data may be a statutory or contractual requirement and we will be limited in the services we can provide you if you don't provide your personal data in these cases.

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract, we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to our marketing communications or sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us at, and we will either delete your data from our systems or move your data to our "unsubscribe list". However, you acknowledge this will limit our ability to provide the best possible services to you.

With your consent and/or where permitted by law, we may also use your data for marketing purposes which may lead to us contacting you by email and/or telephone with information, news and offers on our services. We agree that we will not do anything that we have not agreed to under this Privacy Notice, and we will not send you any unsolicited marketing or spam. We will take all reasonable steps to ensure that we fully protect your rights and comply with our obligations under data protection laws.

Our third-party business partners, including RELX (UK) Limited, trading as LexisNexis (“LexisNexis”), may provide us with your personal data in order to enable us to conduct background checks and screening activities, comply with our legal obligations and for other purposes as described in this Privacy Notice. LexisNexis is responsible for any personal data which they may collect and hold about you until it is received by us. To learn more about how LexisNexis collects and uses your personal data, please see their privacy policy:

4. Where we store your personal data and security

We normally store your personal data with a cloud provider with servers in the UK and Ireland. We may transfer your collected personal data to storage outside the European Economic Area (EEA). It may be processed outside the EEA to receive our services and deal with payment. If we do store or transfer personal data outside the EEA, we will take all reasonable steps to ensure that your personal data is treated as safely and securely as it would be within the EEA and under data protection laws. Such steps may include, but not be limited to, the use of legally binding contractual terms between us and any third parties we engage with and the use of the EU-approved model clauses agreements. Your acceptance of this Privacy Notice shall be your consent permitting us to store or transfer personal data outside the EEA if it is necessary for us to do so.

Data security is of great importance to us, and to protect your personal data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure data collected, including back up procedures, user names and passwords. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know and we have restricted folder access. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality and, where applicable, data processing agreements.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

By giving us your personal data, you agree to this arrangement. We will do what we reasonably can to keep your personal data secure.

We have implemented security measures such as a firewall to protect any data and maintain a high level of security.

Notwithstanding the security measures that we take, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting to us data via the internet and you take the risk that any sending of that data turns out to be not secure despite our efforts.

We will keep personal data for as long as is necessary which is usually the life of our relationship and up to a period of seven years after our relationship has ended. We generally keep personal data for the following periods after the end of the relationship:

Investors - 6 years

Suppliers – 6 years for those with whom we had a contract, 12 months for those with whom we didn’t contract;

Business contacts/”Friends” of Monument – 12 months

We may however be required to retain personal data for a longer period of time to ensure we comply with our legal and regulatory requirements. We review our data retention obligations to ensure we are not retaining data for longer than we are legally obliged to.

5. Disclosing your personal data

We are allowed to disclose your personal data in the following cases:

  • If we want to sell our business, or our company, we can disclose it to the potential buyer;
  • We can disclose it if we have a legal obligation to do so, or in order to protect other people's property, safety or rights;
  • We can exchange information with others to protect against fraud or credit risks.

We may contract with third parties to supply services on our behalf. These may include advertising, marketing and other services, including professional services. In some cases, the third parties may require access to some or all of your personal data which we hold.

These are the third parties that may have access to some of your personal data:

  • Cloud provider – Microsoft Azure;
  • Law firms - for the purpose of receiving legal advice;
  • Accountants – in order to comply with our statutory obligations;
  • Professional services – in order to provide you with independent reports and opinions relating to Monument business plans;
  • Research partners – in order to gather your input to surveys;
  • Due diligence data providers – in order to verify your identity and the potential risk of accepting funds from you as an investor.

Where any of your data is required for such a purpose, we will take all reasonable steps to ensure that your personal data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under data protection laws.

6. Your rights

When you submit information to us, you may be given options to restrict our use of your data. We aim to give you strong controls on our use of your personal data (including the ability to opt-out of receiving emails from us which you may do by unsubscribing using the email address provided above in this Privacy Notice and in the last paragraph of this section).

Under data protection laws, you have the right to:

  • request access to, deletion of or correction of, your personal data held by us at no cost to you;
  • request that your personal data be transferred to another person (data portability);
  • be informed of what data processing is taking place;
  • restrict processing;
  • to object to processing of your personal data; and
  • complain to a supervisory authority.

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your personal data for such purposes or if we intend to disclose your information to any third party for such purposes.

If you have any other questions about this Privacy Notice, please contact us at

7. Third parties

Please note that our Privacy Notice does not cover other parties that may collect and process your personal data in their capacity as a data controller. We have no control over how your personal data is collected, stored or used by any such third-party data controllers and we advise you to check the privacy notices of any such third parties before providing any data to them. Privacy notices are normally displayed via links on official websites or you may contact the relevant third party to obtain a copy of their privacy notice.