At Thirdfort Limited, we are committed to protecting and respecting your privacy.

This Privacy Policy explains how we will process the data relating to you that you provide to us (or that we may collect) when you visit our website at thirdfort.com (Website).

The Website is operated by Thirdfort Limited (we, us, our, Thirdfort), a company incorporated in England & Wales with company number 10757456 and registered office at Belle House, Platform 1 Victoria Station, London SW1V 1JT.

Thirdfort provides services to facilitate the safe and secure execution of legal transactions including, for example, the sale and purchase of property via its FCA-regulated, tech-enabled escrow and payment platform and digital identity verification tools. Please note that we are an independent technology provider to legal professionals and property professionals and we do not provide, own, sell or purchase any property (or other assets relating to legal transactions we process) ourselves or act in the capacity of an agent, broker or advisor.

Where we decide the purpose or means for the processing of the personal data that you provide via our Website, we are the “data controller”. As data controller, we will comply with all applicable data protection laws.

This policy should be read together with our Website Terms of Use (where applicable).

If you choose to use our technology services in connection with a third party (e.g. an estate agency, law firm or independent financial advisor), including our identification, background and credit reference checking services, that third party’s applicable terms and conditions will apply and govern how your personal information may be used.

This Privacy Policy only applies to the processing of personal data by Thirdfort when you use the Website or our services available on or through our Website.

Our Website may contain hyperlinks to third party websites. These websites operate fully independently from us, and we cannot accept any responsibility or liability for the privacy practices of such third parties nor the availability of these external sites or resources. The appearance of such links on our Website is not an endorsement. Should you use any of these websites, such use is at your own risk and we would advise that you review their respective privacy policies.

Please read this Privacy Policy carefully as it contains important information about the following:

• What information Thirdfort may collect about you
• How Thirdfort will use information we collect about you
• Whether Thirdfort will disclose your details to anyone else
• Your choices and rights regarding the personal information we hold about you

If you have any questions or comments about this Privacy Policy please contact us at:
Email: contact@thirdfort.com

1. WHAT PERSONAL INFORMATION DO WE COLLECT ABOUT YOU?

When you visit our Website (including any of our associate mobile apps), we may collect and process information (which may include your personal information) for the purposes of processing and on the legal bases listed below, and we may sometimes share this information as follows.

Visiting our Website and General Enquires

Types of Data
We may collect and store personal information you provide when using the Website, including when you login to access your account and/or ongoing cases, or when you contact us using the Contact Us details provided on the Website.
Personal data that we may obtain includes:

• your name
• your email address and/or postal address
• IP address
• Your username and password
• any other personal information you provide in a message you submit to us

Processing Purpose and Basis

We may legally process the personal information that we collect on the basis that we have a legitimate interest to do so or we are, under our legal obligation to do so or in order to provide a service under a contract:

• to respond to your enquiries
• to provide you with information about the services that we offer to property sellers, buyers, estate agencies and lawyers
• to manage risk or prevent other illegal or prohibited activities
• to resolve issues or fix problems on the Website.

Third Party Recipients

We keep your information confidential. We will not sell your information. We may disclose your information to our personnel and to third party suppliers or subcontractors (including our independent consultants, data analytics providers and cloud-based data processing and hosting providers). If we do share your information, we will only do so insofar as it is reasonably necessary for the purposes set out in this privacy policy, and provided that the recipients do not make independent use of the information and have agreed to adhere to the rules set out in this Privacy Policy. In some instances, this data sharing may involve the transfer of information outside the EU. Please see our section on International Data Transfers below.
Setting Up Your Account

Types of Data

When you set up your Thirdfort account, including set-up of a payment vault, we will ask you to provide some or all of the following personal information, depending on the type of transaction and which of our digital identity verification tools are being used. All account holders may be asked to provide:

• your full name
• your email address
• your username and password (which you create)
• your address
• your telephone number(s)
• your date of birth
• your information specific to your transaction (e.g. property offer information)
• your employment information (e.g. place of work, occupation, how long you have worked there)
• contact details of additional third parties that you might want to share your personal information with (e.g. your legal professional’s or estate agent’s full name, employers name, address, email, telephone)
• photographic proof of identity (e.g. passport or driving licence or identity card)
• financial personal details (e.g. bank details such as account holder name, sort code and account number, transaction details, account balance information)
  Processing purpose and basis

We can only provide our services, including account set-up, where you have provided certain requisite personal data. We will process this information based on either our legal obligation to do so, for the performance of a contract or where we have a legitimate interest to do so in the operation of our property transaction management services business:

• to create and maintain your own account with us;
• to perform our contract for the provision of transaction management services
• to provide authorised access and use of the payment vault system and secure holding and transfer of funds
• to ensure that certain legal requirements are met, such as right to reside requirements
• to conduct electronic identity checks, credit reference checks and source of funds checks using open banking data technology to access and analyse your financial and banking information
• cross reference your banking information and salary payments with your employer and employment history
• to share your personal information with the other third parties after you give us permission to do so
• to manage risk or prevent other illegal or prohibited activities, including in relation to anti-money laundering and prevention of fraud
• to respond to your enquiries and provide assistance

Third Party Recipients

We may share your personal information with third party service providers, such as external open banking data aggregators, credit reference and reporting providers, such as Onfido, Truelayer or Experian, to enable us to perform identity checks and source of funds checks which are key elements of the typical types of transactions for which our service is used that involve the processing of personal data (e.g. property transactions). Where we share your personal data with third parties, we will only do so as far as it is reasonably necessary for the purposes set out in the policy, provided that they do not make independent use of the information and have agreed to adhere to the rules set out in the Privacy Policy. In some instances, this sharing of data may involve the transfer of personal data outside of the EU. Please see our section on International Data Transfers below.
Transactions and Payments

Types of Data

To ensure the proper function of our escrow technology and that payments made into our secure payment vaults from transaction participant(s) (e.g. property buyers) are then paid to and received by the correct and genuine other transaction participant(s) (e.g. owner and seller of a property), we may ask for the following personal information:
Depending on your role in the transaction in question we may request the bank account details from which we shall extract payments or make payments to (whether personal or company account), including:

• bank name and branch location
• full name on bank account
• sort code
• bank account number

Processing purpose and basis

We collect and process your contact and financial details to provide you with our services, including the payment into and out of our insured payment vaults that are set-up to facilitate transactions such as property transactions and performing the necessary identity and source of funds checks associated with any transaction. We minimise the collection of information to the minimum required to enable us to perform of our contract with you (depending on the type of transaction and your role within it e.g. whether you are the buyer or seller in a property transaction), to provide and operate your account, to fulfil legal obligations in relation to payments and accounts record keeping, and/or where there are other lawful bases for processing.

Third Party Recipients

We engage third party payment service providers to assist us with our financial transactions, including Starling Bank and Lloyds. We will not provide further personal information to these payment service providers beyond the financial details that you have provided. As part of the service that we provide, including the maintenance and operation of your account and our Open Banking services, we will receive and hold financial information that you may provide directly to our third party service providers. We will only provide such information to other third parties where we have received your prior consent to do so or where we are legally obliged to do so.
Keeping You Updated (Mailing List)

Types of Data

Our Website does not contain third party advertising. We may collect information about you in order to send you our promotional or marketing communications, such as:

• your name (first and last)
• your email address

While we do not permit third party advertising (or targeted advertising) on our Website, if you do link to one of our Thirdfort social media platforms you may be subject to targeted marketing via that site.

Processing purpose and basis

Where we provide you with information about our products, services or offers via our email updates and e-newsletters, we will only use your personal information in this way in accordance with laws relating to marketing directly to individuals, and in the pursuit of our legitimate interest of marketing our business. If you have asked to be added to our mailing list, such as by submitting your details via our Website sign-up, we will provide your details to a third party company called SendGrid that helps us to produce and manage our newsletters and other marketing material. We provide these communications on the basis that you have asked to receive these. If you change your mind, you may opt-out at any time via the unsubscribe feature that appears in our emails or by emailing contact@thirdfort.com.

Third Party Recipients

We will not share with any third party the personal information that we obtain about you for the purposes of marketing, except for as stated in this policy and only where those third parties have agreed to make no independent or further use of that data and to maintain its confidentiality.
Our Approach to Objectionable Content

Types of Data

If you send us objectionable content, or behave in a disruptive manner when using our Website, we may process any personal information that you have submitted to us, including in your personal messages, to respond to and stop such behaviour.
Processing purpose and basis

We will only process personal information in this way for the following legitimate interests:

• ensuring that the use of our Website is lawful;
• ensuring that users do not disrupt or harass our staff, clients or other Website users; and
• enforcing our legal rights and complying with our legal obligations.

Third Party Recipients

Where we reasonably believe that you are or may be in breach of the law (i.e. the content you share on the Website amounts to harassment or is defamatory), we may use your personal information to inform relevant third parties about the content, such as:

• your email or internet provider; or
• law enforcement agencies

Where we process personal information in this way, we will hold that personal information on our systems for as long as is reasonably necessary to achieve these objectives.

2. data sharing with OTHER parties

We will only ever share your information with third parties in the ways that are described in this 
Privacy Policy. If you would like to find out more about how those third parties listed in this Privacy Policy use your information, this should be set out in their respective privacy policies accessible on their websites.

Personnel, Suppliers and Subcontractors

We keep your information confidential, but may disclose it to any member of our group (which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006), our personnel or independent contractors and our suppliers or service providers insofar as it is reasonably necessary for the purposes set out in this Privacy Policy. However, this is on the basis that they do not make independent use of the information, and have agreed to safeguard this information. For further detail on main third party service providers that we engage, please see below.
Change of Control

If we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email, account message and/or a prominent notice on our Website of any change in ownership or uses of this information, as well as any choices you may have regarding this information.

Disclosure Required by Law or for Protection of the Business

In addition, we may disclose your information to the extent that we are required to do so by law (which may include to government bodies and law enforcement agencies), in connection with any legal proceedings or prospective legal proceedings; and in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention).

We may also disclose your personal information to third parties in order to enforce or apply the terms of agreements between us, to investigate potential breaches, or to protect the rights, property or safety of Thirdfort, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Third party service providers
In addition to the processing that we undertake ourselves, we also use third party processors to collect, export, store and otherwise process our data, include personal data, on our behalf. The processors that we engage include (without limitation):

• Onfido Limited (Identity Verification Services)
  Location: Various, including UK, Portugal and US
  https://onfido.com/gb/
• Experian PLC (Identity Verification Services, Credit Reference Checking and Scoring Services)
  Location: Various, including its EU-base in Republic of Ireland
  https://www.experian.co.uk/ or email UK.DPOBusinessEnquiries@Experian.com.
• TrueLayer Limited (Open Banking API Development Services)
  Location: Based in the UK
  https://truelayer.com/privacy/
• SendGrid & Twilio (Email and SMS Service Provider)
  Location: Various, including UK and US
  Home‍
• Google LLC (for Google Analytics and Google Cloud Services) (Web Management Tools and Cloud Platform)
  Location: Various, including US (by way of EU-US Privacy Shield certification)
  See above for Google LLC EU-US Privacy Shield certification link
  https://google.com/
  
• GoCardless
  Location: Various, including UK and US
  https://gocardless.com/
• Auth0
  Location: Various, including UK and US
  https://auth0.com/
• Aircall
  Location: Various, including UK and US
  https://aircall.com/
• Front App
  Location: Various, including UK and US
  https://frontapp.com/
• TextMagic
  Location: Various, including UK and US
  https://textmagic.com/
• Webflow Inc
  Location: Various, including UK and US
  https://webflow.com/
• Trustpilot
  Location: Various, including UK and US
  https://uk.trustpilot.com/

If you decide to contact us via a social media platform such as Facebook, LinkedIn or Twitter then you should be aware that you will be sharing your personal data and any information contained in your message via that social media platform. We interact with social media messaging platforms for inbound enquiries only and do not proactively share personal information with them. We endeavour to respond to social media enquiries via our other channels, typically email or over the phone.

‍

3. COOKIES & ANALYTICS

Our Website uses cookies and other mechanisms to collect log and analytical information, to help analyse how visitors use the site, to personalise content, support our security function and to compile statistical reports on Website activity.

Cookies may be used by us to do the following:

• enable us to respond to you and to tailor our operations to your needs, including remembering your preferences and to assist with account management
• assist the effective operation of the Website
• enable Website traffic to be logged to identify the webpages you visit and use so we may better understand browsing behaviour (including which webpages browsers find more useful) and improve our Website

To find out more about the use of cookies generally, please visit http://www.allaboutcookies.org/.

Our Website also uses website analytics, including Google Analytics as well as our own analytics software, to evaluate and improve our Website, personalise your experience and to offer the best, most accessible service possible to all of our customers.

To find out more about Google Analytics and to learn how to opt out, please visit:

• How Google uses data when you use our partners’ sites or apps, or
• https://tools.google.com/dlpage/gaoptout/.

When you visit our Website, these analytics service providers may collect the following data, which will almost always be anonymised and aggregated before reporting back to us:

• number of visitors to our Website
• pages visited while at the Website and time spent per page
• page interaction information, such as scrolling, clicks and browsing methods
• websites where visitors have come from and where they go afterwards
• page response times and any download errors
• date and time of the visit
• other technical information relating to end user device, such as IP address, access status/HTTP status code, your operating system and interface or browser plug-in

We process this information to understand how visitors use our Website and to compile statistical reports regarding that activity (for example, your IP address is used to approximate the geographic locations (e.g. country, region, city) from which you access our Website, and we aggregate this information together so we know that, for example, whether most of the visitors to our Website are London-based, originate from the UK or come from elsewhere).

We may also collect and process personal data for quality assurance, regulatory compliance, training, and customer service purposes by monitoring and recording email and/or telephone communications with you or between you and third parties using our systems or those of our third party agents and service providers.

This processing is crucial to the running of our online business and we therefore undertake such monitoring in the pursuit of our legitimate interests in improving our Website to provide a better service and source of information to visitors.

This information is not used to develop a personal profile of you.

4. YOUR RIGHTS IN RELATION TO THE PERSONAL DATA THAT WE PROCESS

You have the following rights over the way we process personal data relating to you. We aim to comply without undue delay, and within one month at the latest:

• to ask for confirmation and information about the personal data that we process about you, including a copy of data we are processing about you;
• to have inaccuracies corrected or incomplete personal data made complete;
• to ask us to restrict, stop processing, or to delete your personal data;
• to request a machine readable copy of your personal data, which you can use with another service provider. Where it is technically feasible, you can ask us to send this information directly to another provider if you prefer; and
• to not be subject to automated decision-making, including profiling; and
• to make a complaint to a data protection regulator. In the UK, this is the Information Commissioner’s Office. You may contact them at: https://ico.org.uk/concerns/

To make a request in relation to any of the aforementioned rights, please email us at contact@thirdfort.com.

If you are unhappy with the way that we are processing your personal data, please let us know. The best way to bring this to our attention is by emailing us at contact@thirdfort.com.

5. CHILDREN

If you are not 18 years or older, you must not use this Website.

We do not knowingly use the Website to solicit data from or market to anyone under the age of 18 (including, in particular, children under the age of 13) nor do we sell any of our products or services to children.

If a parent or guardian becomes aware that his or her child has provided us with information or may be receiving communications from us or has been otherwise interacting with us via our Website without consent of a parent or guardian, we ask that this be brought to our immediate attention. We will make it our priority to address this situation and delete information relating to a child as soon as practicable. In such an event, please contact us at contact@thirdfort.com.

6. SECURITY

We will take commercially reasonable, appropriate technical and organisational measures to ensure a level of security appropriate to the risk that could be encountered via the use of our Website and services, taking into account the likelihood and severity those risks might pose to the rights and freedoms of our Website visitors.

In particular, we will take precautions to protect against the accidental or unlawful destruction, loss or alteration, and unauthorised disclosure of or access to the personal information transmitted, stored or otherwise processed by us. Please be aware that, while we make the security of our Website and your personal information a high priority and devote considerable time and resources to maintain robust IT security, no security system can prevent all security breaches. When you choose to share your personal information with us, you accept the aforesaid and provide your information at your own risk.

7. RETENTION

In accordance with data protection laws and good commercial practice, we do not retain data in a form that permits identification of the person(s) to whom it relates for any longer than is necessary. Once the purpose for which information has been collected has been fulfilled, we will either permanently delete your personal information or remove all identifiers within it so that it is no longer personal data. We may use such anonymised data for research and/or business analysis purposes.

Where you have provided us with personal information to set up an account with us, we will retain those details for as long as your account remains active.

Where you have signed up to our mailing list, we will retain your details for as long as you remain on that list. If you unsubscribe, we will remove your details from the list.

Where we obtain your personal data in relation to the use or purchase of our services, including VAT or invoicing information, we are obligated by law to keep this for a minimum of 6 years.

If you would like us to stop using your personal information or restrict its use, please email us at contact@thirdfort.com.

8. INTERNATIONAL DATA TRANSFERS

Our servers are located in the European Union and the information that we collect directly from you will be stored in these servers. We may also transfer your personal data to our third party service providers, many of whom may be located outside of the EU, operate from multiple locations including non-EU based operations or engage sub-processors located outside the EU.

There are agreements in place to ensure that any international transfers of personal data to our affiliates or third party service providers have appropriate safeguards that meet the requirements of EU data protection laws.

Such appropriate safeguards may include standard data protection clauses adopted by a data protection regulator and approved by the European Commission, such as the European Commission’s standard contractual clauses. Alternatively, where personal data is transferred to the US, many of those US third party service providers are certified under the EU-US Privacy Shield framework approved by the European Commission.

To find out more about the standard contractual clauses, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

To find out more about the EU-US Privacy Shield certification, please visit: https://www.privacyshield.gov/Program-Overview

If you would like to find out more about these safeguards or about our international transfer of data, please let us know by emailing us at contact@thirdfort.com].

9. CHANGES TO THIS POLICY

This Privacy Policy may be updated from time to time. We will notify you of any changes to this policy by posting the updated policy on our Website. You are advised to consult this Privacy Policy webpage regularly for any changes.

10. CONTACT

Questions, comments and requests in relation to this Privacy Policy are welcome and should be addressed to contact@thirdfort.com.