Privacy Policy

Privacy Policy — Transatlantic Compliance Advisory Ltd.

Effective date: 24 October 2025

This Privacy Policy explains how Transatlantic Compliance Advisory Ltd. ("TCA", "we", "us") collects, uses, discloses, and protects personal data in connection with our website, the Compliance Hub (digital products), and our consultant‑led Official Services.

1) Who We Are & Contact

Controller: Transatlantic Compliance Advisory Ltd., 71–75 Shelton Street, London, WC2H 9JQ, United Kingdom
ICO Registration (UK): ZC008212
Email: info@transatlanticcompliance.com
Website: www.transatlanticcompliance.com

Where we determine the purposes and means of processing, we act as controller. Where we process personal data strictly on a client’s documented instructions (e.g., files uploaded for an engagement), we act as processor and the Data Processing Agreement (DPA) governs.

2) Scope

This Policy applies to individuals in the EU, UK, and US, including consumers and business contacts. Where local law grants greater protection, that protection prevails for residents of that jurisdiction.

3) Data We Collect

Depending on your interactions:

Identity & Contact (name, email, phone, role, company, billing details).
Account & Transaction (purchases, subscriptions, access logs, fulfilment status).
Content You Provide (files/forms uploaded for services; feedback; training submissions).
Usage & Device (pages viewed, IP address, browser type, approximate location, device identifiers, referral/UTM).
Support & Communications (helpdesk messages, call notes, meeting recordings where consented).
Payment Processing (limited payment metadata; card data is processed by our PCI‑compliant provider).

Sensitive Data. We do not intend to collect special category/sensitive data. Do not upload such data unless we agree in writing under the DPA.

Children. Our services are not directed to children under 16 and we do not knowingly process their data.

4) Sources

Directly from you (checkout, contact forms, uploads, calls).
Your organisation (when your employer is our client).
Service providers (payments, analytics, communications).
Public and professional sources where lawful.

5) Purposes & Legal Bases (EU/UK)

We process personal data only where a legal basis applies (GDPR/UK GDPR Art. 6). Typical purposes/bases:

Provide and administer services and digital content (contract; pre‑contractual steps).
Account, billing, fraud prevention, collections (contract; legitimate interests; legal obligation for records).
Customer support and communications (contract; legitimate interests in service quality and responsiveness).
Compliance and record‑keeping (legal obligations under tax, accounting, and data‑protection laws).
Product improvement, analytics, service quality (legitimate interests; consent for non‑essential cookies/trackers where required).
Marketing (consent where required; otherwise legitimate interests with easy opt‑out).
Recruitment (pre‑contractual steps; legitimate interests; consent where required by local law).

Where we rely on consent, you may withdraw it at any time (without affecting prior processing). Where we rely on legitimate interests, we balance those interests against your rights.

6) US State Privacy Disclosures (CA/CO/CT/VA/UT and similar)

Residents of certain US states may have rights to access, correct, delete, port, and to opt‑out of (i) targeted advertising, (ii) sale or sharing of personal data, and (iii) certain profiling. We do not sell personal information for money. If we use cross‑context behavioural advertising, we will honour opt‑out rights and display required notices/links.

How to opt‑out: use our site’s “Do Not Sell or Share My Personal Information” link (where applicable) or send a Global Privacy Control (GPC) signal; we honour recognised GPC signals. You can also email us (see Section 11).

7) Cookies & Tracking

We use necessary cookies for core site functions and may use optional analytics/advertising cookies with consent where required (EU/UK). Manage preferences via our cookie banner or your browser settings. California residents may additionally use the Do Not Sell or Share link and/or GPC.

7A) Cookie Policy (Summary)

Controller: Transatlantic Compliance Advisory Ltd.
CMP: We use a consent management platform to capture and honour your preferences and to store consent logs (EU/UK).

Categories We Use

Strictly Necessary: Authentication, security, and load balancing; always active.
Preferences/Functionality (optional): Remember choices (e.g., language).
Analytics (optional): Understand usage to improve services.
Advertising/Measurement (optional): Where used, measure campaign performance and, in some regions, deliver interest‑based ads.

Your Choices

Use the cookie banner to accept/reject optional categories, and revisit preferences via the site footer link at any time.
Global Privacy Control (GPC): If your browser sends a recognised GPC signal, we treat it as an opt‑out of sale/share (California) and, where feasible, as a refusal of non‑essential tracking.

Data Retention & Signals

Consent records are retained as required by law and then deleted or anonymised.
Cookie lifetimes vary by purpose and provider; details are listed in our Cookie List (see link in footer).

Third‑Party Cookies

We work with providers (e.g., analytics, performance, payments). A current list of material cookies, their purpose, and duration is available in the Cookie List. Third parties may change identifiers periodically; we update the list on a rolling basis.

8) Retention

We retain personal data only as long as needed for the purposes described or to meet legal, accounting, or reporting obligations. Typical periods:

Account, purchase, and tax records: up to 7 years (or as required by law).
Support communications: up to 3 years after closure.
Marketing: until you opt‑out or after a defined inactivity period.
Uploaded engagement materials (processor role): per the DPA and client instructions.

9) Sharing & Disclosure

We share personal data with:

Service providers (hosting, storage, payments, analytics, email/SMS, videoconferencing, helpdesk, project management).
Professional advisers (legal, accounting, insurers).
Regulators/auditors where required by law.
Corporate transactions (merger, acquisition, financing) subject to confidentiality.

We do not allow providers to use personal data for their own independent purposes, except as necessary to provide their services or comply with law.

10) International Transfers

Where we transfer personal data outside the UK/EU/EEA, we use appropriate safeguards, such as the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, and implement supplementary measures as needed. Details are available on request and in our DPA.

11) Your Rights & How to Exercise Them

EU/UK. Rights include to be informed, access, rectify, erase, restrict, portability, object, and to be free from decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. You can also lodge a complaint with a supervisory authority (see ICO below).

US (selected states). You may request access, correction, deletion, portability, and opt‑out of targeted advertising, sale/share, or profiling. If we deny your request, you may appeal by replying to our decision email with “Privacy Appeal” in the subject line.

How to submit a request: Email info@transatlanticcompliance.com with “Privacy Request” in the subject, describe your request and your region, and verify your identity (or authorised agent’s authority). We will respond within statutory timelines.

Supervisory authority (UK): Information Commissioner’s Office (ICO), ico.org.uk. We encourage you to contact us first.

12) Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, loss, or disclosure. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

13) Third‑Party Links & Integrations

Our services may link to third‑party sites or use embedded integrations. Those parties operate under their own policies. Review their privacy notices before providing data.

14) Changes to This Policy

We may update this Policy from time to time. The “Effective date” shows when it last changed. Material updates will be communicated via our website or email where appropriate.

15) Roles Under the DPA (B2B)

For client uploads where TCA acts as processor, the DPA governs processing, sub‑processors, retention, deletion/return, and transfer safeguards. A list of material vendors is maintained in the Privacy Policy or a DPA Annex and is available on request where legally required.

Annex A — State‑Specific Disclosures (US)

California (CPRA): You have rights to know/access, correct, delete, portability, and to opt‑out of sale/share and targeted advertising. We honour Global Privacy Control signals. A “Do Not Sell or Share My Personal Information” link will be provided where applicable.
Virginia (VCDPA): Rights include confirm/access, correct, delete, portability, and opt‑out of targeted advertising, sale, and certain profiling, with an internal appeal right.
Colorado (CPA): Rights include access, correction, deletion, portability, and opt‑out of targeted advertising, sale, and certain profiling; universal opt‑out mechanisms are recognised as required by regulation.
Other States: Where a comprehensive privacy law applies, we will extend comparable mechanisms and respect mandatory opt‑out signals.

Annex B — Do Not Sell or Share My Personal Information (California & Similar Laws)

How to Opt‑Out. You may: (a) click the “Do Not Sell or Share My Personal Information” link in our site footer; (b) adjust preferences in the Cookie Banner/Preferences Centre; or (c) send a recognised Global Privacy Control (GPC) signal via your browser or extension. We treat these as an opt‑out of sale and sharing (cross‑context behavioural advertising) for the device/browser used.

Scope. The opt‑out applies to personal information collected online and, where required, to offline data associated with your account or identifiers. We will not use or disclose your personal information for sale/share after you opt‑out, except as permitted by law.

Verification & Agents. For account‑level requests, we may ask you to verify your identity or provide proof of authorised agent status. Opt‑out signals like GPC do not require additional verification.

Minors. We do not knowingly sell or share the personal information of consumers under 16. If you believe a minor has interacted with our services, contact us.

Reversing Your Choice. You can revisit the footer link or preferences centre to allow sale/share again at any time.

Metrics & Record‑Keeping. Where required, we maintain records of opt‑out requests and, if applicable, publish annual metrics.

Questions? Contact us at info@transatlanticcompliance.com.

Not sure where to start with compliance? Take the Investor & Enterprise Readiness Check and get a clear, professional recommendation within 48 hours.

Start the Readiness Check