ITC Privacy Statement (Apex)
Apex Privacy Statement v4.0
Date of issue: 21st October 2025
Owner: CRO
Public
Your personal information will be held by ITC, registered as ITC Compliance Ltd for the purpose of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
ITC is the Controller of personal data relating to the individuals within its Appointed Representatives, oversight clients and or prospective client firms, for the purposes of monitoring and meeting regulatory requirement for the Financial Conduct Authority, relationship management, marketing and business development. This statement relates to this data only.
Personal Data We Collect
ITC collects your personal data, including information provided in various ways. Some of this data is gained directly from you, including:
- Through the use of ITCs Learning system, interactions with ITCs proprietary compliance systems and associated platforms, through compliance audits, in emails, during recorded telephone calls and conversations, from business cards, when registering for services, when participating in surveys, and when using ITC’s websites.
Some personal data may also be gained indirectly, such as:
- Information gained through other organisations (for example Experian/Equifax) in the course of providing regulatory compliance services to you.
- Information we gather from your use of, and interaction with, our website and the devices you use to access them, using technology such as cookies.
The data that we collect will depend upon our interactions with you, your regulatory status, the privacy settings and features that you choose. The personal data we collect normally includes names, job title, company, IP addresses and contact details such as phone numbers and email addresses. Depending upon your role, data may also include information on work history, criminal convictions, financial status and regulatory history.
The table below sets out further detail on the ways in which we will use your data.
Personal data category |
Example data fields |
Legal basis for processing |
How we collect this data |
| Personal identifiable information | Name, surname, job title/roles, company name, description (containing ad-hoc information such as biographies, previous names), CF / SM functions, work history, criminal convictions, financial status and regulatory history IP address, cookies strings. |
Legal Obligation: For meeting regulatory requirements as laid down by the Financial Conduct Authority. Legitimate interest: For evidential purposes to manage and maintain records of client/prospect relationships/ communications. |
Directly from you: you may have voluntarily provided some of this information during the course of our interactions with you or you may have provided it by filling in required information into our learning system or on a form on our website. Indirectly: we may obtain some of this information from referrals from third parties or publicly available information. Passively from you: your IP address and cookies are passively provided by your computer when you access our website. |
| Contact information | Work phone number, work email address, work mobile number, department, work address, location | Legal Obligation: For meeting regulatory requirements as laid down by the Financial Conduct Authority. Legitimate interest: To contact you by telephone, direct marketing or individual email to arrange meetings with our experts in relation to work. |
Directly from you: you may have voluntarily provided some of this information during the course of our conversations with you or you may have provided it by filling in a form on our website. Indirectly: we may obtain some of this information from referrals from third parties or publicly available information. |
| Audit and business development conversations | Notes of all conversations, email exchanges, audit visit and follow up action notes, meeting notes, website enquiries relevant to oversight and business development activity. | Legal Obligation: For meeting regulatory requirements as laid down by the Financial Conduct Authority. Legitimate interest: For evidential purposes to manage and maintain records of client/prospect relationships/ communications. |
Directly from you: you may have voluntarily provided some of this information during the course of our interactions with you or you may have provided it by filling in required information into our learning system or on a form on our website. Indirectly: we may obtain some of this information from referrals from third parties or publicly available information. |
| Digital communications interaction (website, content, pages visited and compliance systems duration, webinars and associated platforms and email) | Dates and times of forms communications completed, downloaded, opened/clicked, referral sources, search requests, opt-in/out of email marketing. Some of this data is obtained using cookies. | Legal Obligation: For meeting regulatory requirements as laid down by the Financial Conduct Authority. Legitimate interest: Where the processing enables us to enhance, modify, personalise or otherwise improve our services and communications for the benefit of our customers Legitimate interest: To better understand how people interact with our website and content in order to enhance the customer experience. Legitimate interest: To determine the effectiveness of promotional campaigns to inform marketing strategy. |
Directly from you: you may have voluntarily provided some of this information by filling in a form on our website or clicking specific links i.e. opt-out link. Passively from you: your IP address and cookies are passively provided by your computer when you access our website/systems. |
| Complaints management Surveys, feedback and questionnaires. | These are specific to the request. | Legal Obligation: For meeting regulatory requirements as laid down by the Financial Conduct Authority and the Financial Ombudsman Service. | Directly from you: you may have voluntarily provided this information by completing an information request. |
Our legal basis for processing personal data
ITC relies upon our Legal Obligation or Legitimate Interest bases for processing the personal data obtained from the practices outlined in the Personal Data We Collect table above.
Legal obligation
In most cases we will process your personal data to enable us to comply with our obligations to the Financial Conduct Authority when acting as the Principal firm or as your primary compliance support function.
Legitimate interest
‘Legitimate Interest’ means the interests of our company in conducting and managing our business to enable us to give you the best services and experience. For example, we have an interest in making sure our services are relevant for you, so we may process your personal data to contact you by telephone with discussions tailored to your interests.
When we process your personal information for our legitimate interests, we make sure to consider the balance and any potential impact on you (both positive and negative) and your rights under the data protection regulation. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Our legitimate business interests may include some or all of the following:
-
For evidential purposes to effectively manage and maintain records of our relationships/communications with you;
-
For business development related activity such as contacting you by telephone or email to arrange meetings in relation to work or prospective work;
-
To enhance, modify, personalise or otherwise improve our services and communications for the benefit of you;
-
To better understand how you interact with our website and content in order to enhance your customer experience;
-
To determine the effectiveness of promotional campaigns to inform marketing strategy.
Recipients of Personal Data
- AWS – Europe only zones
- Google Cloud
ITC will ensure that any third-party processor has adequate data protection measures in place that align with the requirements of the GDPR by conducting periodic due diligence.
Once ITC has received your information ITC is committed to ensuring it has all necessary technical and organisational controls in place to keep your information secure. In order to prevent unauthorised access or disclosure ITC has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information ITC collects.
Retention period
ITC will only keep your personal data for as long as necessary for the purposes for which it was gained. Personal data will be retained for the purposes of direct marketing, relationship management and business development, or where we have another legal basis for processing (such as your consent or a contract with you) . ITC will review the personal data we hold periodically to check for accuracy and relevancy and to ensure that we continue to have a legal basis for processing. If the personal data is no longer necessary, or where we no longer have the legal basis for processing, we will delete or fully anonymise the data we hold on you, in line with our Data Policy. If your data becomes inaccurate, we will update it accordingly.
Complaints
ITC will be more than happy to help you should you have any complaints about the processing of your personal data, and you should contact us in the first instance. Under the Data (Use and Access) Act 2025 , you have the right to refer the complaint to the Supervisory Authority, the Information Commissioner’s Office (ICO), who are the national authority responsible for the protection of personal data if you remain dissatisfied with our response. A complaint can be made to the ICO via their website: ico.org.uk or through their helpline: 0303 123 1113.
Changes to this Privacy Statement
We reserve the right to change this statement. Changes will be published on our website https://itccompliance.com/privacy-statement and previous versions will continue to be available upon request.