Privacy Policy

Privacy Statement

The trustees of your scheme/plan are the data controllers under data protection laws.

The privacy notice for your scheme/plan explains:

Who the trustees are and how to contact them
What information is held about you and how it’s used
Your rights in relation to your personal information
How to contact the Information Commissioner’s Office

You can read the privacy notice for your scheme/plan here.

Cookie Notice

We use cookies and similar technologies (‘cookies’ for short) on this website. This notice explains:

What cookies are
The types of cookies we use
What we use cookies for
How you can control them

We don’t collect any of your personal information using cookies.

What are cookies?

Cookies are used to store information on your device or in its memory to improve your experience. They also provide useful insights to the website owner.

For example, they can be used to:

Improve website features and security.
Allow the website to remember actions you’ve previously carried out.
Provide analytics information on how users engage with the website.

Most cookies have an expiry date, but you can delete them at any time.
Browsers have settings to allow you to block and clear cookies.

Types of cookies used on our website

Cookies: Small text files stored on your device by your web browser. Most cookies have an expiry date, but you can delete them at any time.Browsers have settings to allow you to block and clear cookies.

Local storage: Small text files stored on your device by your web browser. The information stored remains even after you close the browser or restart the device. You can erase local storage at any time by deleting your browser's history.

Session Storage: Used by your web browser to store information in your device’s memory. Information held in session storage is cleared when you close your browser.

How we use cookies on this website

This section explains more about the specific cookies used on this website.

Strictly necessary cookies

These are set by default and do not require your consent, as they’re permitted by privacy laws. These cookies are required for the operation of our website.

They give us information needed for website security and to help the website function properly.

Name	Provider	Purpose	Expiry	Type
PrismSession	Civica	Civica-specific cookie used to maintain persistent server-side session continuity between PRISM and UPM.	Session	Session
__cf_bm	Cloudflare	Identifies and mitigates bot traffic; protects site from automated abuse.	30 minutes of inactivity	Bot management
CF_AppSession	Cloudflare	Used for Cloudflare Load Balancer session affinity; ensures subsequent requests route to the same origin.	Several seconds to 24 hours	Session
CF_Session	Cloudflare	Application-level session identifier used to maintain continuity for authenticated or semi-authenticated Cloudflare-proxied sessions.	Session	Session
CF_Authorization	Cloudflare Access	Contains JSON Web Token identifying authenticated user for Cloudflare Access protected applications. Required for SSO functionality.	Session (defaults to 24 hours)	Session (JWT)
.ASPXAUTH	Microsoft / ASP.NET	Determines whether a user is authenticated; contains encrypted authentication ticket.	Session	Authentication
ASP.NET_SessionID	Microsoft / ASP.NET	Maintains user session state on the server.	Session	Session
CookieControl	OneTrust	Stores user cookie consent preferences and banner settings.	CMP configurable	Consent-preference cookie
OptanonConsent	OneTrust	Stores consent choices for each cookie category and remembers user preferences.	1 year	Persistent, strictly necessary
OptanonAlertBoxClosed	OneTrust	Records that the cookie banner has been dismissed so it is not shown repeatedly.	1 year	Persistent, strictly necessary
UMB_SESSION	Umbraco CMS	Preserves visitor session state across page requests; required for Umbraco back-office operation. Used only for authenticated CMS administrators.	Session	Session
UMB_UCONTEXT	Umbraco CMS	Backoffice authentication cookie used to maintain login session. Used only for authenticated CMS administrators.	Session	Authentication cookie
UMB_XSRF_TOKEN	Umbraco CMS	Used by Angular to pass an anti-forgery token for secure requests. Used only for authenticated CMS administrators.	Session	Anti-forgery token
UMB_XSRF_V	Umbraco CMS	Stores server-side validation token for Umbraco backoffice anti-forgery protection. Used only for authenticated CMS administrators.	Session	Anti-forgery token

Functionality cookies

These are only set if you give us your permission.

They enable us to personalise our content and remember your name and preferences – for example, your choice of language or region.

Name	Provider	Purpose	Expiry	Type
intercom-session-*	Intercom	Tracks a unique browser session to restore chat history and maintain Messenger continuity.	1 week, refreshed on activity	Functionality
intercom-device-id-*	Intercom	Identifies each unique device interacting with the Intercom Messenger to ensure service integrity and prevent abuse.	270 days (refreshed on activity)	Persistent
intercom-id-*	Intercom Messenger	Stores user session identifier for Intercom Messenger; required for authenticated support interactions.	Intercom session cookies persist between logins; used for session identity	Persistent

Analytics and performance cookies

These are only set if you give us your permission.

These cookies allow us to count and differentiate users, as well as track the movement of visitors as they use our website.
They give us information to improve the way our website works, by ensuring users find what they’re looking for easily.

Name	Provider	Purpose	Expiry	Type
_pendo___sg_.*	Pendo	SDK storage fallback used when localStorage is unavailable; stores Pendo runtime and application data.	Pendo documentation does not publish cookie expiry; cookies are used only as fallback when localStorage is unavailable.	Analytics
_pendo_accountId.*	Pendo	Stores the Pendo account identifier associated with the visitor.	Pendo documentation does not publish cookie expiry; cookies are used only as fallback when localStorage is unavailable.	Analytics
_pendo_meta.*	Pendo	Stores metadata required by the Pendo Web SDK, including visitor, account, and agent settings.	Pendo documentation does not publish cookie expiry; cookies are used only as fallback when localStorage is unavailable.	Analytics
_pendo_oldVisitorId.*	Pendo	Stores a previous anonymous visitor ID for identity mapping and merge operations.	Pendo documentation does not publish cookie expiry; cookies are used only as fallback when localStorage is unavailable.	Analytics
_pendo_sessionId.*	Pendo	Stores the session identifier associated with Pendo analytics events.	Pendo documentation does not publish cookie expiry; cookies are used only as fallback when localStorage is unavailable.	Analytics
_pendo_visitorId.*	Pendo	Stores anonymous or identified Pendo visitor identifier.	Pendo documentation does not publish cookie expiry; cookies are used only as fallback when localStorage is unavailable.	Analytics
_pendo_unsentEvents.*	Pendo	Stores queued Pendo analytics events that have not yet been transmitted.	Pendo documentation does not publish cookie expiry; cookies are used only as fallback when localStorage is unavailable.	Analytics
_pendo_utm.*	Pendo	Stores UTM campaign attribution parameters for analytics reporting.	Pendo documentation does not publish cookie expiry; cookies are used only as fallback when localStorage is unavailable.	Analytics
_pendo_guides_blocked.*	Pendo	Prevents Pendo in-app guides from displaying for a specific visitor or account.	30 minutes; extends up to 4 hours if no ad blocker is detected.	Analytics / Functional
_ga	Google Analytics (GA4)	Distinguishes unique users for analytics measurement.	2 years (subject to browser limitations)	Analytics
_ga_FJNMDHY864	Google Analytics (GA4)	Persists session state for a specific GA4 property.	2 years	Analytics
_pk_id	Matomo/Piwik PRO	Stores a unique visitor ID including visit count and timestamps.	13 months (default)	Analytics
FPAU	Google Ads / Google Marketing Platform	Stores interaction and attribution data for advertising performance measurement.	90 days	Analytics/Marketing
_dcid	Stape (server-side GTM)	Indicates a client identifier used in Stape server side tracking; relates to user identification for analytics and advertising use cases.	Not published; configurable via Stape Data Client settings.	Analytics / Marketing
stape	Stape (server-side GTM)	Used within the Stape server-side tracking ecosystem for state retention and identification.	Session	Analytics / Marketing
CF_Device	Cloudflare (APO/Worker)	Stores detected device characteristics such as mobile, desktop, or tablet.	Session (duration set by Cloudflare)	Analytics/Functional

To opt out of being tracked by Google Analytics across all websites, visit: http://tools.google.com/dlpage/gaoptout.

Third-party cookies

Sometimes, we link to third party websites or embed third party content on our pages.
If you access this content, the relevant third-party websites may also place cookies on your device.
We don’t have any control over this, so please check the relevant website’s privacy and cookies notice.

How can I control cookies?

You can use your web browser to delete, block or allow all cookies.
You can also block third-party cookies.

Additional options to control your cookies include:

Clearing all cookies when you close your browser
Using a private browsing session
Installing add-ons or plugins to give you more options

For general information about this, go to http://www.allaboutcookies.org.

Find out more on how popular browsers manage your data using these links:

Microsoft Edge cookies information.
Chrome cookies information.
Firefox cookies information.
Safari cookies information - Mobile and Desktop devices.
Opera cookies information.

Need some help?

How to

protect yourself from Pension and Investment scams

View

Financial Advice

where to find a Financial Advisor

View

Check

your State Pension

View