​

Privacy Notice – PensionPortal.ai

Last updated: 01 March 2026 PensionPortal.ai (“we”, “us”, “our”) provides a digital platform to help pension scheme trustees manage their schemes and communicate with scheme members and other beneficiaries (“Clients”). This privacy notice explains how we collect and use personal data when Trustees and their Clients use our application. By “personal data” we mean any information that identifies, or can reasonably identify, a living individual.

---

​

1. Who we are and how to contact us

Controller: 137th Advisers Limited Registered address: Ireland Company number: [To be confirmed] Contact for privacy matters: Email: dpo@pensionportal.ai Phone: Available on request Postal: Available on request Data Protection Officer (DPO): Email: dpo@pensionportal.ai Our services are primarily provided in and to the European Economic Area (EEA), and we comply with the EU/EEA General Data Protection Regulation (“GDPR”) and applicable Irish data protection law.

---

​

2. Roles: Trustee vs PensionPortal.ai

In most cases:

• The Trustee (or sponsoring employer, where applicable) is the controller of member data in relation to the operation of the pension scheme.
• PensionPortal.ai acts as a processor when we process personal data on documented instructions from Trustees.
• In limited cases (for example, where we run our own analytics or maintain platform security logs), we may act as an independent controller of certain technical and usage data.

Trustees should ensure their own privacy notices explain how they use PensionPortal.ai and how member data is shared with us.

---

​

3. Categories of personal data we process

​

3.1 Trustee users

For Trustee users and other authorised scheme representatives, we may process:

• Identification data: name, job title, organisation, role on the scheme.
• Contact data: work email, work phone number, correspondence details.
• Account data: username, password (stored in hashed form), access logs, permissions.
• Usage data: login times, actions taken on the portal, device and browser information, IP address.
• Communication data: messages, support requests, meeting notes recorded in the system.

​

3.2 Clients (members and beneficiaries)

For Clients whose pension schemes use our platform, we may process, on behalf of Trustees:

• Core identity data: name, date of birth, gender, unique scheme/member ID.
• Contact data: postal address, email address, phone number.
• Employment and scheme data: employer name, employment status, salary band / pensionable earnings, contribution history, service dates, benefit options selected, retirement date, transfer values.
• Financial data (limited): bank details where required for benefit payment instructions (if captured by the platform), benefit and contribution amounts.
• Document data: identity verification documents, benefit quotations, options forms, letters, uploaded communications.
• Dependants/beneficiaries: names, relationship to member, dates of birth, contact details (where recorded by the Trustee).
• Special category data (only where necessary and permitted): for example, limited health information where relevant to ill-health early retirement or disability benefits, or data relating to marital status where it impacts benefits.

​

3.3 Technical and analytics data

When the application is used, we may process:

• Technical data: IP address, browser type, operating system, device identifiers.
• Usage analytics: pages visited, buttons clicked, time spent, error and crash diagnostics.
• Cookies and similar technologies: see section 10 (Cookies and tracking).

---

​

4. Where we get personal data from

We may obtain personal data from:

• Trustees and their agents (for example administrators, HR teams, payroll providers).
• Directly from Clients when they use the portal or contact us.
• Other processors acting on behalf of the Trustee (for example, scheme administrators, actuarial or payroll providers, insurers), as permitted under the Trustee’s instructions.
• Our own systems and logs, which generate technical and usage data.

We do not knowingly collect data directly from children unless this is specifically configured by the Trustee and appropriate legal bases and safeguards are in place.

---

​

5. Purposes and legal bases for processing

​

5.1 When we act as processor for Trustees

When acting as processor, we process personal data only:

• To provide the PensionPortal.ai service as described in our contract with the Trustee.
• To support Trustees in managing their pension schemes, including:
  • maintaining member records,
  • calculating and presenting benefits and options,
  • facilitating communications and document exchange,
  • supporting compliance and audit trails.
• To provide technical support, resolve issues, and maintain security and integrity of the platform.

The legal basis for processing in these cases is determined by the Trustee as controller, typically:

• Performance of a contract with the member or beneficiary.
• Compliance with legal obligations relating to pension scheme administration.
• Legitimate interests in properly administering the pension arrangement and communicating with members and beneficiaries.

​

5.2 When we act as independent controller

For certain limited processing, we act as controller and rely on the following legal bases:

• Legitimate interests (GDPR Art. 6(1)(f)):
  • Securing and improving our platform,
  • Protecting against fraud and misuse,
  • Internal management, record-keeping, and business analytics (using aggregated or pseudonymised data where possible).
• Legal obligations (GDPR Art. 6(1)(c)):
  • Complying with tax, accounting, and regulatory requirements,
  • Responding to lawful requests from courts, regulators, or law enforcement.
• Consent (GDPR Art. 6(1)(a)) in limited cases:
  • Where you actively opt in to optional features or communications that are not strictly necessary for the service.

You can withdraw consent at any time by using the relevant settings or contacting us.

---

​

6. How we share personal data

We may share personal data with:

• The relevant Trustee and authorised scheme representatives who use the platform.
• The Trustee’s other service providers (for example, scheme administrators, actuaries, payroll providers, professional advisers, insurers) where configured by the Trustee.
• Our own sub-processors, strictly for the purposes of providing the platform. Our current sub-processor list is available on our Sub-Processor Register.
• Professional advisers (for example, legal, tax, audit) where necessary.
• Regulators, courts, law enforcement, or other public bodies, where required by law.

We require all third parties to keep personal data secure and process it only in accordance with our written instructions and applicable data protection law. We do not sell personal data.

---

​

7. International transfers

Where possible, we host and process personal data within the EEA or in jurisdictions recognised as providing an adequate level of protection. Our current data residency position: For transfers to the US, we have put in place EU Standard Contractual Clauses (SCCs) and carry out transfer impact assessments.

---

​

8. How long we keep personal data

We keep personal data for as long as necessary to:

• provide the PensionPortal.ai service to the relevant Trustee and Clients,
• comply with our legal obligations,
• resolve disputes, and
• enforce our agreements.

When data is no longer needed, we will delete or securely anonymise it.

---

​

9. Your data protection rights

Depending on your relationship to the pension scheme and applicable law, you may have the following rights:

• Right of access — to obtain confirmation and a copy of your personal data.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure — to request deletion of your data in certain circumstances.
• Right to restriction — to ask us or the Trustee to restrict processing.
• Right to data portability — to receive data in a structured, machine-readable format.
• Right to object — to object to processing based on legitimate interests.
• Right not to be subject to automated decision-making that produces legal or similarly significant effects.

To exercise your rights:

• Contact the relevant Trustee using the contact details provided by them; or
• Contact us at dpo@pensionportal.ai.

You also have the right to lodge a complaint with: Data Protection Commission (DPC) Website: https://www.dataprotection.ie Phone: +353 57 868 4800

---

​

10. Cookies and tracking technologies

We use cookies and similar technologies to keep you signed in, remember preferences, analyse usage, and detect fraud. Where required by law, we obtain your consent before setting non-essential cookies. For full details, see our Cookie Policy.

---

​

11. Security

We take appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS) and at rest (AES-256)
• Role-based access controls and tenant isolation
• Security monitoring, logging, and incident response
• Regular security testing and dependency scanning

For full details, see our Security Overview.

---

​

12. Automated decision-making and profiling

PensionPortal.ai provides calculation tools, projections, and AI-assisted document generation. These tools:

• Are designed to assist Trustees and Clients in understanding benefits and compliance obligations.
• Always require human review and approval before any document is finalised.
• Do not make decisions with legal or similarly significant effects solely by automated means.

---

​

13. Changes to this privacy notice

We may update this privacy notice from time to time. We will indicate the date of the last update at the top of this page. Where changes are material, we will inform Trustees through the portal or by email.

---

​

14. How to contact us

If you have any questions about this privacy notice or how we handle personal data: Privacy Contact Email: dpo@pensionportal.ai Trustees may also contact us via their usual account manager or support channel.