Privacy policy

About this policy

In order to provide our service to you, we need to receive certain information about you, your financial products and your voting preferences. This policy explains the different services offered by Tumelo. It explains which kinds of information we may collect about you, what we do with this information, who we may share your information with and most importantly, your rights in relation to this information. Full Terms and Conditions are available to view on our website and must be accepted before you begin using our services. 


Who is Tumelo?  

We are Tumelo Limited (“Tumelo”, “we” or “our”), commonly known as Tumelo.  Our mission is to empower shareholder democracy with technology that supports impactful stewardship. 

  • We are a company registered in England and Wales.   
  • Our registered company number is 11072709.   
  • Our registered office is Greenway Farm, Unit 14, Bath Rd, Wick, Bristol BS30 5RL. 
  • Our trading office is at Runway East, 1 Victoria Street, Bristol, BS1 6AA.   
  • Our Data Protection Register number is ZA487614. 


What does Tumelo do?

Your pension and investments, whether you are an individual or an institutional investor, are used to buy pieces of the biggest companies in the world like Apple, Twitter and Shell through funds. Every year, all of these companies vote on issues that affect how they are run. Because you, or the institution you represent, own pieces of these companies through your investments in funds, we believe you should also have a voice in these votes. 

We partner with investment and pension providers to enable them to show you what companies you own through your pension/investments and to give you a voice on issues you care about.  


How can I use Tumelo? 

If your investment/pension provider has partnered with Tumelo, they will provide you with instructions for how to register with Tumelo and use our services.  

Service and marketing emails you may receive in relation to our services may also appear in the branding of your employer or your provider where we have been given permission to do so. We do this to streamline and improve your user experience. 


How can I contact you?  

  • You can contact our support team for support or enquiries. 
  • Or write to Runway East, 1 Victoria Street, Bristol, BS1 6AA. 
  • The language of communication will be English. 



Here are some of the more 'technical' words we'll use throughout this policy and what they mean:

Users: individuals who use Tumelo's services via the platform or APIs in accordance with agreed terms and conditions and in agreement with Tumelo’s privacy policy. 

Customers: individuals who use Tumelo's services are customers of the investment/pension providers ('providers') we partner with; when talking in respect of those providers we refer to our users as customers. 

Data: raw, unorganised facts that need to be processed.  

Information: when data is processed, organised, structured or presented in a given context that makes it useful, we refer to it as information. 

Investment/pension provider: a firm that handles your investments and/or your pension. This could be a digital investment platform, for example, or a human financial advisor. Your provider may have been chosen by your employer to supply a workplace pension for you and your colleagues. 

Fund managers: your fund manager is the person or firm responsible for managing a specific fund, usually employed or contracted by your investment/pension provider. They choose individual companies or a group of companies to invest in based on performance, risk and other criteria such as investment themes. Generally speaking, their main goals are to keep your money safe and to help you earn a good return on your investment so that your money grows above the rate of inflation. They are duty-bound to make decisions based on your best interests (this is called Fiduciary Duty). 

Shareholder:a shareholder is someone who owns shares in a company. If you own a pension, or purchase investments in funds, your money is used to buy shares in lots of companies. Therefore, we refer to you as a shareholder. It's likely that your provider or fund manager holds the legal right to a shareholder vote and that you are technically an 'indirect shareholder'. However, since it's your money, we believe you should have a voice too, and that's why we built Tumelo. 

Stewardship platform: the part of the Tumelo platform provisioned for use by institutional investors and investment consultants. 

Annual General Meeting: an event at a company where issues are raised and discussed by shareholders and management. This is usually where the company votes that you can participate in will occur. 

Data controller: a person or firm who (either alone or jointly) determines the purposes for which and the manner in which any personal data is used/processed. 

Data processor: Any person or firm who processes personal data on behalf of a data controller. 

Data processing: Obtaining, recording, holding and carrying out operations on personal data such as: 

  • organisation, adaptation or alteration of the information or data; 
  • retrieval, consultation or use of the information or data; 
  • disclosure of the information or data by transmission, dissemination, or otherwise making available; 
  • or alignment, combination, blocking, erasure or destruction of the data.


What data do you hold about me?  

We may collect, use, store and transfer the following types of information about you: 

Contact information:  
  • Your email address.
  • Your first and last name.
  • Your mobile phone number.

Demographic data:  
  • Your gender.
  • Your date of birth. 

Financial data:  
  • The financial products that you own and their relative weightings within your portfolio.

Feedback and enquiry data:  
  • Information about you and/or your experience of Tumelo's services that you provide to us via feedback surveys and user interviews. 
  • Information about you from emails and letters that you send to us (including any identity data that you provide to us, such as your name and email address). 
  • Any conversations between us and any feedback you give to us. 

Vote data:  
  • Information about how you vote. This includes what you vote on, how you vote, any comments you provide about your voting decision and any vote policies you choose to apply.
  • If you invest or have a pension with multiple providers who use Tumelo’s services, then we will hold your data in respect of each provider separately. 
  • We will never share personally identifiable information about you with your employer, provider, fund managers or other partners without your explicit prior consent.
Website data:

As is true of most websites, we also automatically gather information about your computer such as your IP address, browser type, referring/exit pages and operating system. When you visit our hosted pages, we also use cookies to identify you when you come back to the site.  For more information on the cookies we use, why we use them and more information about cookies generally, please see ourCookies Policy.    


Where did you get this data from?  

The above data is:  

  • Given to us directly by you when you choose to create an account with us. 
  • If we are integrated with your provider and you have consented for them to share your personal information with us, sourced through that route. 
  • Depending on the set up with your provider, provided by you via a magic link. The magic link is a hyperlink contained in the invite email sent to you by your employer or investment/pension provider. This link consists of the web address (URL) of Tumelo's platform as well as an identifier that tells us what financial products you have in your pension/investment account. The link has been encoded by your provider, not Tumelo, meaning Tumelo does not know what financial products you hold in your account until you choose to share that information with us by creating an account on our platform. The link does not contain any information about how much you have invested and does not include any other data about you or your financial situation. Your provider has shared aggregated and anonymised information about the financial products that all of their customers own. Tumelo uses the identifier in the magic link to work out which of those financial products you own at the time you create an account so that we only show you the information that is relevant to you personally, including a list of the companies that you are invested in. 
  • Gathered from third-party services such as Google's Web and Traffic Analytics tool. We use these services in order to better understand your needs and to optimise our service. These services use cookies and other technologies to collect data on your behaviour and devices. Feedback you share with Tumelo is sometimes used for promotional purposes and anonymously shared with Tumelo’s trusted partners, including future sales prospects. These services use cookies and other technologies to collect data on your behaviour and devices. 
  • Shared with us when you fill out your profile page, return a user survey or sign up for our mailing list. 
  • Shared with us when you use the help features associated with the platform. 


How do you use my data?  

We’ll only use your personal information where we have a valid reason to do so. Below, we’ve set out the ways in which we use your personal information and the reasons we do so. 


We use your data to provide you with a personalised service

We may use your information to provide you with:  
  • A list of the companies you own through your pension/investments
  • Associated votes you can vote on;
  • A record of your past votes;
  • A personalised profile page;
  • A personalised notification service.
We use the following information to do this:  
  • Financial Data.
  • Vote Data.
  • Contact Information.
We do this to:  
  • Provide you with personalised transparency, voting and notification services.


We use your data to improve our service for you and other users

We use your information to:  
  • Improve your user experience.
  • Select interesting votes.
  • Create new features.  
We use the following information to do this:  
  • Usage and Behavioural Data.
  • Vote Data.
  • Demographic Data, if you have chosen to provide this data to us.


We use your data to send you service emails

In circumstances where email communication has been enabled via our platform, we may use your information to:   
  • Notify you when new votes are available to you. 
  • Notify you about the progress, outcome and/or impact of votes you, your Tumelo community and/or other shareholders have participated in. 
  • Let you know if our service changes or if this policy changes in an important way. 
  • Let you know when you have an opportunity to participate in user testing to improve the services, for you and other customers. 
  • Communicate with you if you have made a request/asked a question/made a complaint with us or to the provider’s customer support team. 

We use the following information to do this: 
  • Contact Information. 
  • Vote Data. 
  • Information you tell us when you contact us/providers. 
  • Information you tell us when you give feedback about us. 

We do this to: 
  • Alert you about your upcoming votes, your vote results and key achievements of your Tumelo community. 
  • Support you to make the most of our service. 

You can opt out of receiving these emails at any time by changing your preferences on the profile page in the platform or by contacting our support team.  By unsubscribing from Tumelo's emails, you will not automatically be unsubscribed from marketing emails from your investment/pension provider. To unsubscribe from marketing emails from your provider, please go to their emails and/or website. 

We use your data to comply with our legal duties

To comply with our legal duties, we may also need to use your information to investigate activity that we suspect as being contrary to our Terms and Conditions and/or fraudulent in nature. 

We will only use your information for the reasons we have told you about above. If we need to use your information for any other reason, we will let you know and tell you the reason, unless the law stops us from doing so.

What is our lawful basis for processing data?   

Tumelo will process your data in accordance with an applicable ‘lawful basis’.  

We will sometimes directly ask for your consent to process your personal data, or we may receive consent from a third party like an investment/pension provider through which you access Tumelo’s platform. This will apply to activities where we have an express purpose for the processing such as agreeing to receive marketing communications from us. You have the right to withdraw such consent at any time.

In all other cases we will process your personal information for our legitimate interests, provided that such processing shall not outweigh your rights and freedoms. This processing shall be undertaken to: 

  •        Supply end users of the platform with a secure experience;
  •        Comply with legal or contractual requirements;
  •        Provision our services to our clients and end users;
  •        Administer the service we provide;
  •        Better understand and improve our services.


Who do you share my data with?  

We may share your personal data with other organisations so we can: 

  • Provide Tumelo's services to you. 
  • Improve our service to you. 
  • Comply with our legal duties. 

Tumelo and our partners (including your pension/investment provider) will not be able to identify you as an individual from the information we share with them. Any information shared will be anonymised and in most cases aggregated except in the instances where you have given explicit consent to be identified (for example, to participate in video/recorded user interviews). The only instance where personal details (Scheme name, and name of user) are shared is for Institutional investors voting via our Stewardship platform, as detailed below. 

Investment providers

  • We share aggregated and anonymised Vote Data with your provider so they are able to represent your voice at company votes. 
  • We share aggregated and anonymised Usage and Behavioural Data about you and other Tumelo users with providers so they can learn more in order to provide you with better customer service.


  • We may share aggregated and anonymised historical Vote Data and/or Usage and Behavioural Data with your employer if Tumelo's services are associated with your workplace pension. We do this in order to improve how your employer designs, selects, delivers and/or communicates your pension plan to suit you. 

Fund managers and other partners

  • Pension scheme members: We share your aggregated and anonymised Vote Data with fund managers ahead of relevant company votes so that your shareholder voice can be represented. 
  • Institutional investors (this only applies to investors using our Stewardship Platform for voting): To facilitate voting and communication between institutional investors and fund managers, we also share the scheme name you are voting on behalf of, and the name of the person who placed the vote (likely you). 
  • We may also share Vote Data with NGOs, research and government bodies as well as other financial services firms in line with our mission. 
  • We may also make aggregated and anonymised Vote Data publicly available on our own website. 
  • We may share anonymised information about your experience of Tumelo's services that you provide to us via feedback surveys, emails with Tumelo’s research team, and user interviews available to partners including future sales prospects.

Our service providers

  • We may, on a confidential basis, share your data with our own carefully selected sub-processors who are directly involved in delivering our services, such as IT providers. 
  • We only allow our sub-processors to handle your personal information if we are satisfied that they take appropriate measures to protect your personal information. 
  • We may also share personal information with external auditors for the accreditation and the audit of our accounts. 
  • We never sell or give your personal information to third parties to use for their own purposes without your explicit prior consent. 

In exceptional circumstances, we may disclose or transfer your personal information:  

  • If it is required by law. 
  • When we (or the provider) believe that disclosure is necessary to protect our rights, protect your safety or the rights and safety of other third parties, investigate fraud, or respond to a government request. 
  • To a third-party buyer or seller in the event that Tumelo is involved in a merger, acquisition, or sale of all or a portion of its assets. 

How long do you hold my data?  

We will retain your personal information for a period that is dependent on the purpose for which it was collected and to ensure compliance with legal and/or contractual obligations that may exist between Tumelo and third parties (e.g. an Investment Provider).

Your personal information will be removed in the following situations: 
  1. You voluntarily close your account either by use of automated account features or by contacting Tumelo directly. 
  2. Tumelo is instructed by a third party such as a pension provider (acting as Data Controller) to close your account and remove your data.  
  3. You have exercised your rights under UK GDPR and requested your personal information is deleted or you have instructed us to limit processing to an extent that would render us unable to continue providing you with access to Tumelo services. 
  4. Tumelo has closed your account due to a violation and there is no legal or regulatory interest in holding your personal data. 
We will only retain your data for as long as we have a legitimate reason to retain it. After this period, we will delete personally identifiable information such as: 
  • Contact information 
  • Demographic Data 
  • Financial Data 
We will continue to indefinitely hold anonymised data such as: 
  • Usage and Behavioural Data
  • Feedback and Enquiry Data
  • Vote Data
  • Website Data


Where is my data stored?  

Information we hold about you is stored and processed principally in the Tumelo platform. 

The platform is principally hosted in sub-processors' secure data centres within the European Economic Area (EEA). Your information may be shared with our carefully selected sub-processors, who are directly involved with the delivery of our services. Such sub-processors shall only process personal information in countries which have an adequate level of protection from a data protection perspective. Some of these sub-processors are outside of the EEA, namely the USA. Wherever possible, Tumelo ensures that sub-processors store data within the EEA. 

In the event that the processing of your personal information at any time requires it to be transferred to and/or stored or accessed from a destination outside the EEA, we will take all steps reasonably necessary to ensure that your data is treated securely, in accordance with this policy and safeguarded in accordance with all applicable legislation. 


How do you keep my data secure?  

We have appropriate security measures to prevent personal information from being accidentally lost, accessed or used unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. 

We continually test our systems and are IASME certified. This is a standard defined by the UK National Cyber Security Centre (NCSC) which covers both the Cyber Essentials accreditation and GDPR. 

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we can do so directly and will encourage providers to notify you in any instances we are unable to communicate with you directly. 

Aspects of Tumelo's services (such as company overview pages) and providers’ websites may include links to third-party websites which may collect your personal information. We have no control over what these websites do with your personal information. Please check the policies on these websites that should tell you what they do with your personal information. 


Do I have the right to reject to data processing?  

You have the right to object at any time to the processing of your personal information. You can make this objection to us by contacting our support team or to the provider in accordance with the procedure set out in their privacy notice which is available on their website. We will also pass any processing objection we receive on to the relevant provider for their consideration.  


What rights do I have over the processing of my data?  

You have a right to access any information we hold about you and request a copy of it, and to ask us to correct your personal information if it’s not correct. You have a right to ask us to delete your personal information and request that processing is restricted. This may affect our ability to provide our services to you. We will let you know if this is the case. 

With regards to email communications, you have a right to: 
  • Ask us to stop using your personal information to send you marketing emails
  • Ask us to stop using your personal information to send you service emails. 
Please note that if you opt-out of receiving service emails from Tumelo:  
  • You will not be notified via email of upcoming votes available to you or the progress/outcomes of votes you have participated in (where applicable). 
  • You will not be automatically opted-out of any other communications you may receive from your provider. 
  • You will need to inform your provider directly if you wish to opt out of their communications. Any request in regards to your data which is excessive may be subject to a reasonable fee to cover our administrative costs in providing you with the necessary details. We will always discuss this with you before proceeding with your request.

How can I make a complaint?

If you have a complaint, please contact our support team and we will do our best to fix the problem quickly.  
If you remain dissatisfied with the outcome of your complaint you can also contact the Information Commissioner (UK supervisory authority).  


Changes to this policy  

We’ll keep our privacy policy up to date on both our website and on our platform. If we make any significant changes to it we will notify you by email directly.