Legal
Privacy Policy
Last updated: June 2026
Table of Contents
1. Introduction
Loomis Vault Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our services.
Data Controller
Loomis Vault Ltd is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Registered Office: 1 Vault Square, London, EC2R 8AH
Company Registration No: 12345678
ICO Registration No: ZA987654
Data Protection Officer: dpo@loomisvault.co.uk
2. Information We Collect
2.1 Personal Information
- Full name, date of birth, and nationality
- Email address and telephone number
- Residential and correspondence address
- Government-issued identification documents (passport, driving licence)
- Proof of address documentation
2.2 Financial Information
- Declared values of stored items
- Payment card details (processed securely via PCI-DSS compliant providers)
- Bank account details for refunds or direct debit
- Billing history and invoice records
2.3 Technical Information
- IP address and approximate geolocation
- Browser type and version
- Device information and operating system
- Session data and login timestamps
- Pages visited and actions taken within the Client Portal
2.4 Vault Information
- Item descriptions and categorisations
- Photographs of deposited items
- Certificates of authenticity and valuations
- Deposit and withdrawal records
3. How We Use Your Information
We use your personal data for the following purposes:
- Account Management: Creating and maintaining your account, verifying your identity, and managing your vault holdings.
- Service Delivery: Processing deposits, withdrawals, shipments, and providing insurance coverage.
- Security: Protecting against unauthorised access, fraud detection, and maintaining the integrity of our systems.
- Communications: Sending service notifications, billing information, security alerts, and responding to enquiries.
- Legal Compliance: Meeting our obligations under anti-money laundering regulations, tax reporting, and other applicable laws.
- Service Improvement: Analysing usage patterns to improve our platform and services.
4. Legal Basis for Processing
We process your personal data on the following legal bases:
- Contract Performance: Processing necessary to fulfil our contractual obligations to you (storage, shipment, insurance).
- Legitimate Interests: Processing necessary for our legitimate business interests (security, fraud prevention, service improvement) where these do not override your rights.
- Consent: Where you have given clear consent for specific processing activities (marketing communications).
- Legal Obligation: Processing necessary to comply with legal requirements (AML regulations, tax obligations, court orders).
5. Data Sharing
We may share your personal data with the following categories of recipients:
- Insurance Underwriters: Lloyd's of London and associated syndicates for the purposes of insurance coverage, claims processing, and risk assessment.
- Payment Processors: PCI-DSS compliant payment service providers to process your payments securely.
- Shipping Partners: Trusted courier services for insured deliveries, limited to the minimum data necessary for delivery.
- Law Enforcement: When legally required by court order, warrant, or regulatory obligation.
- Professional Advisers: Auditors, lawyers, and accountants where necessary for compliance or dispute resolution.
We NEVER sell, rent, or trade your personal data to third parties for marketing purposes.
6. International Transfers
Your personal data is primarily stored and processed within the United Kingdom. In the event that data is transferred outside the UK, we ensure appropriate safeguards are in place:
- Transfers to countries with an adequacy decision from the UK Secretary of State
- Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office
- Binding Corporate Rules where applicable
You may request a copy of the relevant safeguards by contacting our Data Protection Officer.
7. Data Retention
We retain your personal data for the following periods:
| Data Category | Retention Period |
|---|---|
| Active account data | Duration of relationship + 7 years |
| Closed account data | 7 years from closure |
| Audit logs | 5 years |
| KYC documentation | 5 years after relationship ends |
| Marketing consent records | Until consent withdrawn + 1 year |
After the retention period expires, data is securely deleted or anonymised.
8. Your Rights (GDPR)
Under the UK GDPR, you have the following rights regarding your personal data:
- Right to Access
You may submit a Subject Access Request (SAR) to obtain a copy of all personal data we hold about you. We will respond within 30 days. - Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data. - Right to Erasure
You may request deletion of your personal data, subject to our legal obligations to retain certain information (e.g., AML compliance, tax records). - Right to Restrict Processing
You may request that we limit the processing of your data in certain circumstances. - Right to Data Portability
You may request your personal data in a structured, commonly used, and machine-readable format. - Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes. - Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
To exercise any of these rights, contact our Data Protection Officer at dpo@loomisvault.co.uk.
10. Security Measures
We implement comprehensive technical and organisational measures to protect your personal data:
- 256-bit AES encryption for data at rest
- TLS 1.3 encryption for data in transit
- Multi-factor authentication for all account access
- Role-based access controls with principle of least privilege
- Regular security audits and penetration testing
- 24/7 monitoring and intrusion detection systems
- Secure data centres with ISO 27001 certification
- Regular staff training on data protection
11. Children
Our services are not directed at, and we do not knowingly collect personal data from, individuals under the age of 18. If we become aware that a minor has provided us with personal data, we will take steps to delete such information promptly.
If you are a parent or guardian and believe your child has provided personal data to us, please contact our Data Protection Officer immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:
- We will notify you via email to your registered address at least 30 days before the changes take effect
- The updated policy will be posted on this page with a new "Last updated" date
- A summary of changes will be provided in the notification
We encourage you to review this policy periodically.
13. Contact & Complaints
Data Protection Officer
Email: dpo@loomisvault.co.uk
Address: Data Protection Officer, Loomis Vault Ltd, 1 Vault Square, London, EC2R 8AH
Telephone: +44 (0)20 7946 0958
ICO Complaint Procedure
If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.
Company Details
Loomis Vault Ltd
Company Registration No: 12345678
ICO Registration No: ZA987654
Registered Office: 1 Vault Square, London, EC2R 8AH
Email: privacy@loomisvault.co.uk