PlutoIFA Privacy Policy

Last updated: 4 March 2026

This Privacy Policy explains how PlutoIFA (“PlutoIFA”, “we”, “us”) collects and uses personal data when you visit www.plutoifa.com (the “Site”) or contact us through the Site.

If you use PlutoIFA’s subscription services/portals as a customer (e.g., Adviser/Client/Governance portals), separate contractual documents (including a Data Processing Addendum where applicable) may apply to that service environment.

1) Who is responsible for your personal data

Data Controller: PlutoIFA

Registered address: [REGISTERED ADDRESS]

Email: contact@plutoifa.com

If you have questions about this Privacy Policy or how we use your data, contact us using the details above.

Supervisory authority (Cyprus/EU): The Office of the Commissioner for Personal Data Protection (Cyprus) is the relevant authority where Cyprus GDPR oversight applies.

2) What personal data we collect

We collect limited personal data through the Site:

A) Data you provide to us (contact forms / enquiries)

When you submit a contact form or request information, we typically collect:

• Name
• Email address
• Telephone number (if provided)
• Company/organisation (if provided)
• Message/enquiry content (whatever you type)
• Any attachments you choose to send (if the form supports attachments)

B) Data we collect automatically (cookies and site analytics)

When you browse the Site, we may collect technical and usage data such as:

• IP address (and approximate location derived from it)
• Device and browser information
• Pages viewed, clicks, time on page, referring pages
• Cookie identifiers and analytics identifiers

This is primarily collected via Google Analytics and related cookie technologies. Google states that Analytics uses identifiers such as cookies and may use IP addresses for service security and to give customers a sense of where users are located.

We’re not here to read your diary; we’re here to learn which pages people actually read before they bravely fill in the contact form.

3) What we use your data for

We use personal data for the following purposes:

Enquiries and relationship management

• To respond to contact requests, demo requests, and questions
• To communicate about PlutoIFA and requested information
• To maintain basic records of communications

Site performance and analytics

• To understand how visitors use the Site
• To improve content, navigation, and performance
• To measure the effectiveness of campaigns (where used)

Security and operational purposes

• To protect the Site, prevent abuse, and investigate suspicious activity

4) Legal bases for processing (GDPR)

Where the GDPR applies, we rely on one or more lawful bases for processing personal data. The GDPR sets out several legal bases including consent and legitimate interests.

In practice, we typically rely on:

• Legitimate interests: responding to business enquiries, maintaining business communications, and keeping the Site secure.
• Consent: for non-essential cookies/analytics (where required), and where you choose to opt in to certain tracking or communications.

(If you later become a customer under a contract, some processing may be necessary for a contract or to take steps at your request before entering into a contract.)

5) Cookies and Google Analytics

We use cookies and similar technologies on the Site. Cookie rules (and expectations around consent for non-essential cookies) are reflected in regulator guidance such as the UK ICO’s cookies information and guidance (useful even outside the UK as a practical benchmark).

What cookies we use

Strictly necessary cookies
These help the Site function (e.g., security, load balancing, basic preferences). These may be set without consent where permitted.

Analytics cookies (Google Analytics)
These help us understand site usage (e.g., traffic volumes, page popularity, navigation patterns). Google notes Analytics uses cookies (e.g., “_ga”) to distinguish users and measure usage.

Typical Analytics cookies may include (examples):

• _ga (commonly used by Google Analytics; duration can be up to 2 years)
• _ga_<container-id> (GA4-related)

Exact cookies can vary depending on configuration and updates.

Your choices

• You can manage cookie preferences via our cookie banner / settings tool (if implemented).
• You can also control cookies via your browser settings (note: blocking strictly necessary cookies may break site functionality).

6) Who we share data with

We may share personal data with:

• Service providers who help us run the Site and communications (e.g., hosting, email, analytics)
• Google as the provider of Google Analytics (acting as a processor/service provider depending on configuration)

We do not sell personal information.

7) International transfers

Some of our service providers may process data outside your country, including outside the EEA/UK.

Where the GDPR applies and data is transferred internationally, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) where required. The European Commission publishes SCCs for transfers to third countries, and the EDPB provides recommendations on supplementary measures for transfers.

8) How long we keep your data

We keep personal data only as long as necessary for the purposes described:

• Enquiries/contact form data: typically retained for [12–24 months] after the last interaction, unless a longer period is needed for legitimate business reasons (e.g., ongoing discussions) or legal obligations.
• Analytics data: retained in line with our Google Analytics settings and cookie lifecycles.

(Choose a retention period that matches your actual sales cycle; the bracket above is a sensible default for B2B.)

9) Security

We use reasonable technical and organisational measures designed to protect personal data. No internet system is perfectly secure, but we aim to keep the metaphorical doors locked and the keys not taped to the handle.

10) Your rights

Depending on where you are, you may have rights such as:

• access to your personal data
• correction/rectification
• deletion/erasure
• objection to processing (including certain legitimate interest processing)
• restriction of processing
• data portability (in some cases)
• withdrawing consent (where processing is based on consent)

If GDPR applies, you also have the right to lodge a complaint with a supervisory authority (including Cyprus’s Commissioner).

11) South Africa (POPIA) note

If you are in South Africa, PlutoIFA aims to process personal information in line with the Protection of Personal Information Act (POPIA) principles and requirements, including lawful and reasonable processing conditions.
For POPIA-related queries, you can also reference the Information Regulator guidance.

12) Children

The Site is not intended for children, and we do not knowingly collect personal data from children.

13) Links to other sites

The Site may contain links to third-party websites. We are not responsible for their privacy practices, and we recommend reviewing their policies.

14) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date shows when changes were made.