Privacy Policy

This privacy policy sets out how Nutmeg Saving & Investment Limited ("Nutmeg", "we", "us" and "our"), trading as John Lewis Investments, uses and protects any information that you provide to us.

John Lewis Investments is committed to ensuring that your privacy is protected. Should we ask you to provide information which could be described as personal data when using this website, it will only be used in accordance with this privacy policy.

John Lewis Investments may change this policy from time to time by updating this page. We will inform you of any material changes we make to this policy to keep you informed as to how your data is processed.


As set out in our Terms & Conditions (the "Agreement"), Nutmeg has appointed John Lewis plc (“John Lewis”) as our "Appointed Representative". Where you open an account with us where we are trading as John Lewis Investments or browse the John Lewis Investments site, this Privacy Policy applies.


Under the GDPR:

  • Controller decides why and how personal data is used. For example, when you make an account with us we decide how to best manage your account and protect your information.
  • Processor only uses personal information on behalf of a Controller, for example because it is providing services to the Controller.

If you have an account with John Lewis Investments, Nutmeg is sometimes the Processor and usually the Controller.

2.1 Nutmeg as processor:

  • If you sign up and agree to receive marketing from John Lewis, we'll share some of your information with John Lewis. For marketing this includes your first name, last name, email address, and direct marketing preferences (including if you have consented to, or opted out of, direct marketing from John Lewis, and when you signed up).
  • For your website visit we will share some website browsing data including data related to using the website log in.

John Lewis is the Controller of this information, and John Lewis will act in accordance with its own privacy policy available here.

2.2 Nutmeg as controller:

  • If you sign up for a John Lewis Investments account, we (Nutmeg) are the Controller of your information. We explain what we collect and why we use it in this privacy policy.

2.3 John Lewis and Nutmeg as independent controllers:

  • If you sign up for a John Lewis Investments account, both we (Nutmeg) and John Lewis are independent controllers of your core customer account information. This is your name, address, contact number, email address and whether or not you have a John Lewis Investment product under management.


We gather your personal data for the following purposes, and we will only use it for the purpose(s) it was collected.

3.1 Opening an account and suitability assessment

In order to create an account with John Lewis Investments we need to collect some personal information which allows us to verify your identify and fulfil our regulatory obligations including ‘Know Your Customer’ (KYC) checks.

3.2 Suitability Assessment

To comply with our regulatory obligations when opening an account with John Lewis Investments we are required to assess whether the investment products you are looking to take up are suitable for you, this includes understanding your tolerance to investment risk and current financial situation. 

Where the Suitability process identifies that an investment product is not suitable, we may not be able to offer you the product. If you would like to understand more about this decision, or you believe there has been an error, you can discuss the suitability outcome with our Client Support Team.

You can ask for information about any automated decision making that has a legal or similarly significant effect on you. We’ll explain the logic involved, how we use the decision and any potential consequences. You can also object, give us extra information or ask us to review a decision. In certain circumstances you also have the right not to be subject to a decision based solely on automated processing.

3.3 Operating your account

On a day-to-day basis we process information necessary for your account to function correctly and for us to perform our contractual obligations toward you, this can range from details required for us to trade your investments, to data necessary for our technology infrastructure to run. This information is usually generated automatically by your account and our systems or may be collected as a result of a fault you have reported to our Customer Support Team.

3.4 Providing you with information and support

We record all interactions with our Customer Support Team including, but not limited to, emails, phone calls and our Secure Nutmails. We will also generate and keep a record of any mandatory or ad hoc statements and reports we produce for you.

3.5 Working with John Lewis

We will group your personal information with other information (for example, about other accounts) in order to provide John Lewis with anonymised statistical information (for example, number of accounts opened). We do this in our legitimate interest in complying with our agreement with John Lewis.

3.6 Improving our services and products

We are always looking to improve our services to you and our product offering, and for this reason we will collect and process data (including profiling) about how you interact with our website, such as where you click and your IP address, for analytical, development and research purposes. We may also receive information relating to you from third-party analytics providers. This helps improve our current services and may inform how we develop new products and services.

3.7 Marketing

We may use your personal data to share marketing information with you including direct marketing (we will always seek your consent in accordance with the relevant legal and regulatory requirements prior to engaging in this type of processing).

You can unsubscribe from marketing communication by clicking the link provided in relevant emails, or through the dedicated Preference Centre in your dashboard. You have a right to opt out of this type of processing, including profiling for direct marketing purposes, and can do so by contacting us at

3.8 Showing you an interest-based web journey

We may employ common tracking technology such as cookies and pixels to understand how you interact with our website for the purpose of showing you content on it that we think is most relevant to you.

You have a right to opt out of this type of processing, including profiling for direct marketing purposes, and can do so by contacting us at

3.9 Complying with legal and regulatory obligations

We collect as well as receive information about you from third parties such as details necessary to verify your identity to comply with legal and regulatory requirements for the prevention of financial crime. When required for the provision of the services, or volunteered by you, we may also process information which is classed as ‘special category’ under the GDPR including, but not limited to, information about your health and personal circumstances in order to service you in line with the FCA vulnerable customers guidelines and principles (we will always seek your consent in accordance with the relevant legal and regulatory requirements prior to engaging in this type of processing).


We collect this information primarily to satisfy legal requirements and to enable us to provide the services required under the Agreement between you and John Lewis Investments.

In particular, in order to provide you with a recommended portfolio and risk profile for your investment we are required to collect responses to the risk questionnaire and anticipated time horizon mentioned above. In some cases, your responses may result in our system determining that our investment product is not suitable for you.  If you are not satisfied with the result of this process, you may contact us at or by telephone on (0203) 598 1515. We can provide you with additional information about how we reached this decision and your options. 

In order to comply with our obligation to treat customers fairly under the FCA’s principles, it may be necessary for us to record certain personal data about a sub-set of our customers who may be classed as vulnerable customers under these principles. Some of this data may be classified as special category data, for which we require explicit consent, including information about a customer's mental and physical health. This data will be stored securely and accessed only by appropriately authorised personnel. The data will not be transferred to, or processed by, third parties.

Where consent is required, we will seek this from you – for example with respect to marketing preferences. Where consent is required and not provided or withdrawn it may result in non-benefit of service, or the inability to open an account with John Lewis Investments.


To process your personal data, we will rely on a number of different legal bases depending on the purpose of the processing, such as where:

  • We have a legal or regulatory obligation to process your personal data, such as performing checks for the prevention of financial crime.
  • We need to process your personal data in order to perform the Agreement between you and us;
  • We have specific legitimate business interests in processing your personal data, so long as these are not overridden, or unbalanced compared to your interests and/or fundamental rights and freedoms. Our legitimate business interests include:
    • improving our products and services,
    • analysing information to provide tailored content, and
    • understanding and improving our direct marketing, and
    • if you are a business, sending direct marketing;
  • You have given us your consent to send you marketing information or to process special category data relating to you, such as health information.


John Lewis Investments will only send you marketing communications where you have given us your consent. This can be managed through our preference centre where you may withdraw this consent at any time. If you have any questions please contact


7.1 The right to be informed

You have a right to know what personal data we hold about you, for what purpose and how we process it, as detailed in this Privacy Policy.

7.2 The right of access and data portability 

You have the right to access the data that John Lewis Investments holds on you and request a portable version of this data.

7.3 The right to rectification 

You have the right to have inaccurate personal data rectified, or incomplete data completed respectively.

7.4 The right to erasure (“the right to be forgotten”)

You have the right to request erasure of the data held by John Lewis Investments. We are required to balance this right with our obligations under law and regulation with respect to record retention.

7.5 The right to object

You have the right to object to the processing of your personal data when this is based on legitimate interest, including profiling. You also have the right to object to the processing of your personal data for marketing purposes, including profiling for direct marketing purposes.

7.6 The right to restrict processing

You have a right to request that John Lewis Investments restrict the processing of your personal data, for instance while process other requests under your rights as a data subject such as the right to object and the right to rectification detailed above.

7.7 Rights in relation to automated decision making and profiling

Where it is not necessary for the performance of the contract, or based on your explicit consent, you have the right not to be subject to a decision based solely on automated decision-making and profiling.

7.8 Contact Details

Should you have any questions or concerns about how we process your personal data you can get in contact by emailing us at You also have the right to raise issues with the Information Commissioner’s Office, by visiting their website or calling their helpline on 0303 123 1113.

You may seek to exercise any of these rights by emailing us at


John Lewis Investments is required to retain certain data records to comply with the Financial Conduct Authority’s (FCA) general recording keeping requirements. To comply with these requirements, our policy is to retain this data for 7 years, and for any additional period required under prevailing regulation.

Your personal information may be transferred or disclosed to third parties where necessary under the Agreement. This enables us to provide Services to you and to discharge our obligations to third parties, including relevant government agencies and regulators. Such third parties may also have their own data retention periods.

In particular, we use GoCardless to process your Direct Debit payments. More information on how GoCardless processes your personal data and your data protection rights, including your right to object, is available at

We use Stripe to process debit card payments. More information on how Stripe processes your personal data and your data protection rights, including your right to object, is available at

Any requests for erasure during the retention period may not apply to all of these data records, and such records may only be deleted once the retention period has expired.


Customers' personal information is shared, where appropriate, with third parties that are Processors or Controllers in their own right. In both scenarios, appropriate legal measures are in place to safeguard the processing of your personal data.

For the purposes of the Agreement we are required to share your information with third parties, the situations in which we share this information are detailed below:

  • Regulatory bodies or the police to comply with our legal obligations;
  • Fraud prevention agencies, and other organisations in order to detect and prevent financial and other crime;
  • Suppliers, where necessary for the performance of the contract.

We employ the services of a number of third parties to provide the service under the Agreement and to improve our product and services.

We share your information with John Lewis (as explained in section 2.1 above). We also share anonymised information with John Lewis (as explained in section 3.4 above), but you cannot be identified from this anonymised information.

We may also share your personal information with certain suppliers when we have a legitimate interest to do so, or your explicit consent, as detailed below:

  • Data, service and software providers to help improve, develop and maintain our products and website (which may include, for example customer data modelling or statistical and trend analysis);
  • Data, service and software providers to provide you with an interest-based web journey.

We will endeavour to anonymise your data and/or minimise the amount of your data we share with these third parties, where possible. Prior to sharing any of your personal information with these suppliers we will ensure the appropriate contractual, technical and organisational measures are in place to safeguard your personal information, including the relevant arrangements should we transfer this data outside of the EEA.


We are committed to ensuring that your data is retained securely by us. In order to prevent unauthorised access to or disclosure of your data, we have put in place physical, electronic and managerial procedures to safeguard and secure the information we collect.


Should John Lewis Investments transfer your data outside the United Kingdom (UK) or the European Economic Area (EEA) (as applicable) we will have appropriate additional measures in place to protect the data, and we will only transfer to countries and companies with adequate levels of protection.