Welcome to Thirdfort's Privacy Policy

This Privacy Policy explains what personal information is collected by us, Thirdfort Limited, a company registered in England and Wales with number 10757456 and registered office at Belle House, Platform 1 Victoria Station, London, England SW1V 1JT (“Thirdfort”, “we”, “us”, “our”) as part of our activities, and how we use that information.

Privacy Policy structure

To make it easier for you to review those parts of the Privacy Policy which apply to you, we have divided it up into the following sections:

• Section 1 – General: This Section 1 applies to everyone who may visit the Thirdfort Website, use the Thirdfort Portal or the Thirdfort App, or otherwise interact with us.

• Section 2 – Consumer: In addition to Section 1, Section 2 also applies if you are an individual who has downloaded and is using the Thirdfort App to carry out the verification requested by your professional advisor(s).

• Section 3 – Thirdfort Clients: In addition to Section 1, this Section also applies if you are a solicitor, estate agent or other professional user making use of Thirdfort Services. 

Accessing Thirdfort via a partner platform

If you are a Thirdfort Client accessing our Services via one of our third party partners (listed at https://www.thirdfort.com/terms/partners), then the personal information that you provide in the course of accessing or using our services will also be subject to that partner’s privacy policy, in addition to this one.

This section applies to everyone who visits or interacts with the Thirdfort Website, the Thirdfort Portal, or the Thirdfort App.

Personal Information we collect

When you visit the Thirdfort Website, email us, contact our Support team, or interact with us in general terms, we may collect: 

• your name

• your email address and/or postal address

• your phone number 

• your IP address

• any additional personal information you share with us

We process this Personal Information:

• to respond to your enquiries

• to provide you with information about Thirdfort Services

• to make our site better and make sure it is presented in the most effective way

• to manage risk or prevent other illegal or prohibited activities

• to resolve issues or fix problems on the Thirdfort Website, the Thirdfort Portal or the Thirdfort App

• for internal operations, analysis, testing and research and to generally improve the services we provide

If you decide to contact us via a social media platform such as Facebook, LinkedIn or X (formerly Twitter) then you should be aware that you will be sharing your personal data and any information contained in your message via that social media platform. We interact with social media messaging platforms for inbound enquiries only and do not proactively share personal information with them. We endeavour to respond to social media enquiries via our other channels, typically email or over the phone.

In all cases, where data is provided for us to provide Thirdfort Services, we are a processor of that data and the Thirdfort Client is the controller. 

Legal basis for processing Personal Information

Our legal basis for collecting and using Personal Information will depend on the Personal Information concerned and the specific context in which we collect it.

However, we will normally collect Personal Information from you only where:

• the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms;

• we have your consent to do so; or

• we need the Personal Information to perform a contract with you.

In some cases, we may also have a legal obligation to collect Personal Information from you. If we ask you to provide Personal Information to comply with a legal requirement or to perform a contact with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Information is mandatory or not (as well as of the possible consequences if you do not provide your Personal Information).

Who do we share your Personal Information with?‍

We will never sell your Personal Information. We may disclose your Personal Information to the following categories of recipients:

1. Our third party service providers who provide services to us, for example, to:

• support the delivery of, provide functionality on, or help to enhance the security of the Thirdfort Website, the Thirdfort Portal or the Thirdfort App, or 

• process Personal Information for content customisation, personalisation, ad selection and delivery, reporting, and measurement purposes. This may also include our data analytics providers and cloud-based data processing and hosting providers. If we share this Personal Information with these parties, we will only do so insofar as it is reasonably necessary for the purpose(s) for which we have collected it.   

Our third party service providers, as well as details about what types of information we share with them, can be accessed at https://www.thirdfort.com/terms/third-party-service-providers/.

2. Any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your interests or those of any other person;

3. An actual or potential buyer of our business (and their agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer they must use your Personal Information only for the purposes disclosed in this Privacy Policy;

4. Other relevant parties in order to enforce or defend our rights under an Agreement, or to protect the rights, property, or safety of Thirdfort, Thirdfort Client, Consumers, or others. This includes exchanging information with other companies and organisations for the purpose of fraud protection and credit risk reduction. 

How do we keep your Personal Information secure?‍

We will take commercially reasonable, appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the use of the Thirdfort Website, the Thirdfort Portal or the Thirdfort App, taking into account the likelihood and severity those risks might pose to your rights and freedoms.

In particular, we will take precautions to protect against the accidental or unlawful destruction, loss or alteration, and unauthorised disclosure of or access to the Personal Information transmitted, stored or otherwise processed by us. Please be aware that, while we make the security of the Thirdfort Website, the Thirdfort Portal and the Thirdfort App and your Personal Information a high priority and devote considerable time and resources to maintain robust IT security, no security system can prevent all security breaches. When you choose to share your Personal Information with us, you accept this and provide your information at your own risk.

Further information regarding our security can be found at: https://www.thirdfort.com/security-measures/.

Your data protection rights‍

You have the right to: 

1. withdraw your consent to our processing of your Personal Information.

2. be told what Personal Information we hold about you on our database and how we process that data.

3. request that we provide you with a copy (in a commonly used electronic format) of all the Personal Information that we hold about you. Unless you make repeated requests which are manifestly unfounded or excessive, we will not charge a fee for providing you with a copy of this data.

4. request that we correct any inaccurate or incomplete Personal Information that we hold about you.

5. request that we irretrievably delete all Personal Information that we hold about you (the so-called “right to be forgotten”). Please note that there are limited circumstances in which we are legally entitled to refuse to comply with this request.

6. request that we transmit all the Personal Information that we hold about you (in a structured, commonly used and machine-readable form) to another organisation’s IT environment. Note that we are only legally obliged to comply with this request if it is technically feasible for us to do so.

7. opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you, or by replying to any marketing text messages with the word “STOP”.

8. complain to a data protection authority about our collection and use of your Personal Information. For more information, please contact the UK Information Commissioner’s Office at: https://ico.org.uk/concerns.

You can exercise any of the rights in 1–7 above at any time by contacting us using our details set out at the beginning of this Privacy Policy. 

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with Data Protection Laws.

Changes to this Privacy Policy

‍We may update this Privacy Policy from time to time in response to changing legal, technical or business developments, so please review it frequently. If we update our Privacy Policy and the amendments involve a material change to the way we collect, use, share, store or otherwise process your Personal Information then we will take appropriate measures to inform you, consistent with the significance of the changes we make.

Further queries in relation to your data protection rights

You can obtain further information about data protection and privacy laws by visiting the Information Commissioner’s website at: https://ico.org.uk/your-data-matters.

Where we process personal data concerning those in the European Union, we have appointed IT Governance Europe Limited to act as our EU GDPR Representative. If you wish to exercise your rights under GDPR, or have any queries in relation to your rights or privacy matters generally, please:

• email our representative at [email protected]; or 

• post your request or query to: EU Representative, IT Governance Europe, Third Floor, The Boyne Tower, Bull Ring, Lagavooren, Drogheda, Co. Louth, A92 F682

When contacting our representative please ensure you include our company name in any correspondence.

This section describes what information is collected by Thirdfort from Consumers, how that information is used by Thirdfort, and for how long Thirdfort keeps the information. You are a Consumer if you have been invited to provide Personal Information to Thirdfort so that we can carry out verifications on you for the benefit of the Thirdfort Client (i.e. professional advisor(s) you engaged), and this section will apply to you.

What Personal Information do we collect from Consumers?

When you share information with us in the Thirdfort App we will ask you to provide some or all of the following Personal Information, depending on the type of request that the Thirdfort Client has made:

• your full name

• your email address

• your address

• your telephone number(s)

• your date of birth

• information specific to your transaction (e.g. details of the property you are buying or selling)

• employment information (e.g. employer, occupation, how long you have worked there)

• photographic proof of identity (e.g. passport, driving licence, identity card)

• biometric data (e.g. photo, liveness video, audio) 

• financial personal details (e.g. bank details, transaction details, account balance information)

What do we do with the Personal Information that we collect from Consumers?

We will process the information that we have collected for the following purposes:

• to enable you to use the Thirdfort App to fulfil a request made by a Thirdfort Client.  

• to perform our contract with Thirdfort Clients for the provision of ID verification, Know Your Client (KYC) and Anti-Money Laundering (AML) checks.

• to conduct source of funds checks using open banking data technology to access and analyse your financial and banking information.

• to cross reference your banking information and salary payments with your employer and employment history.

• to enable you to share your personal information with any third parties that you designate, e.g. if you instruct a solicitor then you may choose to provide the solicitor with access to your information. 

• to respond to your enquiries and provide assistance.

Who do we share Consumers’ Personal Information with?

Your professional advisor

We will share your Personal Information with the Thirdfort Client(s) you have engaged. The Thirdfort Client is likely to be the solicitor, estate agent or other adviser who requested that you download the Thirdfort App and will be named in SMS invite messages from Thirdfort. Within the Thirdfort App it is clearly indicated at the top of your tasks list the Thirdfort Client that requested the tasks.  

Our partners

If the Thirdfort Client has purchased Thirdfort Services via one of the Thirdfort Partners listed at https://www.thirdfort.com/terms/partners/, then we may share your Personal Information with that Thirdfort Partner to the extent reasonably necessary in order for us to provide the Thirdfort Services.

Third party service providers

We may also share your Personal Information with third party service providers, such as external open banking data aggregators, credit reference and reporting providers, to enable us to provide Thirdfort Services (including but not necessarily limited to identity verification checks and source of funds checks).

Where we share your Personal Information with third parties, we will only do so as far as it is reasonably necessary for the purposes described in this Privacy Policy. Our third party service providers, as well as details about what types of information we share with them, can be accessed at https://www.thirdfort.com/terms/third-party-service-providers.

The third party service providers may check your Personal Information against databases that they have access to in order to verify your identity, and may also keep a record of the search. Where the third party service provider is Onfido Limited, then Onfido’s collection and use of your Personal Information for identity verification purposes is described in the Onfido Privacy Policy which can be accessed at https://onfido.com/privacy/.

Note that where we share your Personal Information with a credit reference agency for the purpose of carrying out an identity or credit check, the credit reference agency may keep a record of the search being made but this should not impact your credit score.

Transfers outside the United Kingdom 

Our servers, with Google Cloud Platform, are located in England and the Personal Information that we collect directly from you will be stored on these servers.

We may also transfer your Personal Information to one or more of our third party service providers listed at https://www.thirdfort.com/terms/third-party-service-providers, some of which may be located outside of the UK or EEA, appoint subprocessors outside the UK or EEA, or operate from multiple locations (including non-EU locations). If the Thirdfort Client is located outside the UK or EEA then we may also transfer your Personal Information to them.

We take all steps reasonably necessary to ensure your Personal Information is processed securely and in line with this Privacy Policy as well as the Data Protection Legislation. We will only transfer your Personal Information to third parties outside the UK if:

• it is located in a country confirmed by the UK government to provide adequate protection to personal data; 

• a contract is in place to protect the personal data as required under Data Protection Legislation. This may include standard data protection clauses adopted by a data protection regulator and approved by the European Commission, such as the European Commission’s standard contractual clauses; or

• we have another legal basis for doing so. 

How long do we keep Consumers’ Personal Information?

We will store your Personal Information only for the period of time that is necessary to conduct the relevant checks and provide Thirdfort Services to the Thirdfort Client in line with our contract with them. We endeavour to remove the personal data shared with us directly in its native form as soon as the relevant checks have been performed. 

Upon request by a Thirdfort Client or when we or any of our third party service providers no longer need to process the Personal Information, we will cease to process it and it will be deleted, unless retention is required by applicable law.  

This section describes what information is collected by Thirdfort from Thirdfort Clients, how that information is used by Thirdfort, and for how long Thirdfort retains the information. You are a Client if you use Thirdfort Services to carry out verifications on your clients, and this section will apply to you.

What Personal Information do we collect from Thirdfort Clients?

During the client onboarding process we will collect the following Personal Information:

• names and contact details of your personnel who will be using Thirdfort Services

• usernames and passwords

We will also collect Personal Information that you provide to us in connection with Thirdfort Services. For Thirdfort Services other than lite screening and identity document verification this will typically be:

• your client’s name

• mobile phone number and a brief transaction description for us to use as an identifier 

For lite screening, we will collect your client’s name, address and date of birth.

For identity document verification, we collect the image of your client’s identity document. 

What do we do with the Personal Information that we collect from Thirdfort Clients?

We will use the information that you provide during the onboarding process for the following purposes:

• to create and maintain your Thirdfort Client Account

• to provide Thirdfort Services and otherwise perform the Agreement with you

• to respond to your enquiries and provide assistance

If you provide us with Personal Information relating to your client in connection with Thirdfort Services:

• For all Thirdfort Services other than lite screening and identity document verification, we will only use this information to invite your client to download and register as a user of the Thirdfort App. 

• For lite screening and identity document verification, we will use the Personal Information you provide for the purpose of providing these services in accordance with our Terms of Use.

Who do we share Thirdfort Clients’ Personal Information with?

The third party service providers that we engage for the purposes of collecting, exporting, storing and otherwise processing our data, including your Personal Information, are listed at https://www.thirdfort.com/terms/third-party-service-providers.

How long do we keep your Personal Information?

As stated above, we keep your Personal Information for as long as you have a contract with us or as we reasonably need it to fulfil the purposes for which the data was collected.