Privacy Policy

We take your privacy very seriously. Please read this privacy policy carefully because it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

We collect, use and otherwise process certain personal data about you. When we do so we are responsible for our data processing activities in accordance with the UK General Data Protection Regulation (UK GDPR) to which we are subject.

This policy applies whenever we process your personal data, for example when you use our website, or when you interact with us in any other way (unless you are one of our employees or applying for a job with us, in which case our employee or job applicant data protection notice applies instead).

Key terms

Here are some key terms used in this policy:

We, us, our

Friend MTS Limited, incorporated in England and Wales with registered number 03513618, registered office Eleven Brindley place, 2 Brunswick Square, Birmingham, B1 2LP and any companies in its group

Personal data

any information relating to an identified or identifiable individual


any operation carried out on personal data, including collecting, organising, storing, retrieving, using, disclosing, transferring and deleting

Special category personal data

Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership

Genetic and biometric data (when processed to uniquely identify an individual)

Data concerning health, sex life or sexual orientation

Data subject

The individual who the personal data relates to

Personal data we collect about you

We may collect and use the following personal data about you:

• your name and contact information, including email address and telephone number and details of your employer

• information to check and verify your identity, e.g. your date of birth

• your gender

• location data

• billing information, transaction and payment card information

• your personal or professional interests

• your professional online presence, e.g. LinkedIn profile

• your contact history

• information from accounts you link to us, e.g. Facebook

• information about how you use our website, IT, communication and other systems

• your responses to surveys, competitions and promotions

• information included in your communications with us.

We generally collect and use this personal data to provide our technology solutions (products) and/or services, communicate with our customers, suppliers (actual, prospective and past) and other third parties and more specifically as set out below. Because our products and services are aimed at business customers, we are most likely to process your personal data if you work for one of our actual, potential or past customers, suppliers, partners or intermediaries (Business Partners) or if your own unincorporated business is a Business Partner.

How your personal data is collected

We collect most of this personal data directly from you—in person, by telephone, direct messaging, text or email and/or via our website and apps. However, we may also collect information:

• from publicly accessible sources, e.g. Companies House;

• directly from third parties, such as:

– your employer

– sanctions screening providers;

– credit reference agencies; and

– due diligence providers;

• from cookies on our website—for more information on our use of cookies, please see our cookie policy.

• via our IT systems.

How and why we use your personal data

Consistent with data protection law, we only process your personal data to the extent we have a proper legal basis for doing so. Our legal basis for processing your personal data will be one or more of the following:

• to comply with our legal and regulatory obligations; (Legal Obligation);

• to perform a contract with you or take steps at your request before entering into a contract (Contract);

• on a case-by-case basis, where you have given specific, informed and voluntary consent (Consent); or

• for our legitimate interests or those of a third party, unless they are overridden by your interests, rights or freedoms which require your personal data to be protected (Legitimate Interest).

We might carry out an assessment when relying on legitimate interests, to balance our interests against your own.

The table in Schedule 1 sets out the purposes for which we process your personal data and the legal basis of processing that usually applies for each purpose. Where Legitimate Interest applies, the table also describes the nature of the likely interest.

In the unlikely event that we process your special category personal data, our legal basis will be one of the following:

• we have your explicit consent;

• this is necessary to protect your (or someone else’s) vital interests where you are incapable of giving consent; or

• this is necessary to establish, exercise or defend legal claims.

Who do we share your personal data with?

We routinely share personal data with:

• third parties we use to help deliver our products or services, e.g. sub-contractors, payment service providers, mailing houses and delivery companies;

• other third parties we use to help us run our business, e.g. marketing agencies or website hosts;

• third parties approved by you, e.g. social media sites you choose to link your account to or third party payment providers;

• companies within our group, such as Friend MTS (US) Inc.

• credit reference agencies;

• our insurers and brokers; and

• our bankers.

Where these service providers and other third parties act as data processors on our behalf, we only appoint them if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on those service providers to ensure they can only use your personal data to provide services on our instructions.

We may also need to:

• share personal data with external auditors, e.g. in relation to accreditations and the audit of our accounts;

• disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations;

• share personal data with other parties, such as potential buyers of some or all of our business or during a restructuring—usually, information will be anonymised, but this may not always be possible, however, the recipient of the information will be bound by confidentiality obligations.

How long your personal data will be kept

We will keep your personal data only for so long as is necessary for the purposes of our processing or for any legally required period.

Broadly, this is for as long as we have an active relationship with you or your employer and for as long as necessary afterwards:

• to respond to any questions, complaints or claims made by you or on your behalf;

• to keep records required by law; and

• to enforce or defend our rights against any possible legal action for the applicable limitation period, typically six years after the cause of action arose.

Because the purposes and types of personal data that we process vary, different retention periods apply. These periods are set out in Schedule 2, Retention. These are maximum periods and we may delete your personal data earlier.

Transferring your personal data out of the UK and EEA

To deliver services to you, it is sometimes necessary for us to share your personal data outside the UK and EEA, e.g.:

• with our offices or other companies within our group located outside the UK/EEA;

• with your and our service providers located outside the UK/EEA;

• where there is a European and/or international dimension to the services we are providing to you.

Under data protection law, we can only transfer your personal data to a country outside the UK and EEA where:

• the UK government or EU Commission has decided the particular country ensures an adequate level of protection of personal data (an adequacy decision);

• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or

• a specific exception applies under data protection law

These are explained below.

Adequacy decision

We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:

• all European Union countries, plus Iceland, Liechtenstein and Norway (the EEA), Gibraltar; and

• Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay and certain organisations in Canada (where the data is subject to PIPEDA and the USA (where the EU-US privacy shield applies).

The countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

Other countries to which we may transfer personal data do not have an adequacy decision. Where there is no adequacy decision, we may transfer your personal data to another country if we are satisfied the transfer complies with data protection law, appropriate safeguards are in place, and enforceable rights and effective legal remedies are available for data subjects.

The safeguards will usually include using legally approved standard data protection contracts/clauses, such as the IDTA and Addendum (see or you can contact us to obtain a copy – see ‘How to contact us’ below).

Transfers under an exception

In the absence of an adequacy decision or appropriate safeguards, we may transfer personal data to a third country or international organisation where an exception applies under relevant data protection law, namely:

• you have explicitly consented to the proposed transfer after having been informed of the possible risks;

• the transfer is necessary for the performance of a contract between us or to take pre-contract measures at your request;

• the transfer is necessary for a contract in your interests, between us and another person; or

• the transfer is necessary to establish, exercise or defend legal claims

We may also transfer information for the purpose of our compelling legitimate interests, so long as they are not overridden by your interests, rights and freedoms. Specific conditions apply to such transfers, and we will provide relevant information if and when we seek to transfer your personal data on this ground.

Your rights

You have the following rights, which you can exercise free of charge:


The right to be provided with a copy of your personal data


The right to require us to correct any mistakes in your personal data

Erasure (also known as the right to be forgotten)

The right to require us to delete your personal data — in certain situations

Restriction of processing

The right to require us to restrict processing of your personal data in certain circumstances, e.g. if you contest the accuracy of the data

Data portability

The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party — in certain situations

To object

The right to object:

—at any time to your personal data being processed for direct marketing (including profiling);

—in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.

Not to be subject to automated individual decision making

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

For further information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below).

If you would like to exercise any of those rights, please:

• email us — see below: ‘How to contact us’; and

• provide enough information to identify yourself (e.g. your full name, address, employer and customer, supplier or product reference number) and any additional identity information we may reasonably request from you;

• let us know what right you want to exercise and the information to which your request relates.

Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We continually test and improve our systems.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where legally required to do so.

How to complain

Please contact us if you have any query or concern about our use of your information (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with the Information Commissioner. The Information Commissioner may be contacted at or telephone: 0303 123 1113.

Changes to this privacy policy

This privacy notice was published on 15 November 2021 when it replaced any previous privacy policy published on our website.

How to contact us

You can contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint. Our contact details are shown below.

Our contact details

Legal Counsel, Friend MTS Limited, 177 Shaftesbury Avenue London WC2H 8JR

(+44) (0)203 588 2111

Schedule 1. Legal Bases for Processing

Purpose: Providing products and/or services to or purchasing them from your business or that of your employer

Legal Basis: Contract

Purpose: Preventing and detecting fraud against you or us

Legal Basis: Legitimate Interest – to minimise fraud that could be damaging for you and/or us

Purpose: Conducting checks to identify Business Partners and verify their identity

Screening for financial and other sanctions or embargoes

Other activities necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g. under health and safety law

Legal Basis: Legal Obligation

Purpose: Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies

Legal Basis: Legal Obligation

Purpose: Ensuring business policies are adhered to, e.g. policies covering security and internet use

Legal Basis: Legitimate Interest – to make sure we are following our own internal procedures or your procedures, so we can deliver the best service

Purpose: Operational reasons, such as improving efficiency, training and quality control

Legal Basis: Legitimate Interest – to be as efficient as we can so we can deliver the best service to you

Purpose: Ensuring the confidentiality of commercially sensitive information

Legal Basis: Legitimate Interest – to protect trade secrets and other commercially valuable information

Legal Obligation

Purpose: Statistical analysis to help us manage our business, e.g. in relation to our financial performance, customer base, product range or other efficiency measures

Legal Basis: Legitimate Interest – to be as efficient as we can so we can deliver the best service to you

Purpose: Preventing unauthorised access and modifications to systems

Legal Basis: Legitimate Interest – to prevent and detect criminal activity that could be damaging for you and/or us

Legal Obligation

Purpose: Updating and enhancing Business Partner records

Legal Basis: Contract

Legal Obligation

Legitimate Interest – making sure that we can keep in touch with our Business Partners about existing orders and new products

Purpose: Statutory returns

Legal Basis: Legal Obligation

Purpose: Ensuring safe working practices, staff administration and assessments

Legal Basis: Legal Obligation

Legitimate Interest – to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

Purpose: Marketing our services and those of selected third parties to:

—existing and former Business Partners;

—third parties who have previously expressed an interest in our services;

—third parties with whom we have had no previous dealings.

Legal Basis: Legitimate Interest – to promote our business to existing and former Business Partners and others

Purpose: Credit reference checks via external credit reference agencies

Legal Basis: Legitimate Interest – to ensure our actual and prospective Business Partners and suppliers are solvent and likely to be able to meet their obligations

Purpose: External audits and quality checks, e.g. for ISO or Investors in People accreditation and the audit of our accounts

Legal Basis: Legitimate Interest – to maintain our accreditations so we can demonstrate we operate at the highest standards

Legal Obligation

Schedule 2. Retention Schedule. Business Partner records

Record: Account details

Retention period*: 7 years from end of relationship, i.e. end of contractual relationship or date of last contact (whichever is later)

Record: Sales/purchase analysis records

Retention period*: 5 years from the date of the earliest record being analysed

Record: Business Partner advice and opinions

Retention period*: 7 years from end of relationship with Business Partner

Record: Business Partner complaints

Retention period*: 7 years from end of relationship with Business Partner (including any extension to the relation while dealing with the complaint)

Record: Details of products/services not taken up

Retention period*: 5 years from end of relationship with Business Partner

Record: Voice recording

Retention period*: 6 months from date of the telephone conversation, provided that the period may be extended where there is an ongoing complaint or dispute

Record: Business Partner feedback — employee performance

Retention period*: 18 months from the date of the record

Record: Reviews by Business Partners

Retention period*: 5 years from end of relationship

Record: Records of Business Partners who have signed-up to receive non-marketing newsletters

Retention period*: Until Business Partner unsubscribes

Marketing and business development records

Record: Business Partner relationship management records — of former, current and potential Business Partners

Retention period: 2 years from last active engagement with Business Partner

Record: Direct marketing information relating to a current Business Partner,

Retention period: 2 years from last active engagement

Record: Direct marketing information relating to a potential Business Partner

Retention period: 2 years from data collection

Record: Information recorded on marketing suppression lists, ie individuals who have notified as they do not wish to receive marketing communications

Retention period: 50 years from the date the marketing opt-out request was received

Record: Website cookie data for targeted advertising

Retention period: 12 months from the date the cookie or tracking code was created

Data protection records

Record: Management of data subject requests

Retention period: 3 years from the date the request is completed (including regulatory appeals, investigations and court action), or last contact with data subject, whichever is later

Record: Data protection complaints

Retention period: 7 years from end of relationship with Business Partner (including any extension to the relation while dealing with the complaint)

Record: Compliance records

Retention period: 7 years from the date the document is no longer active or has been superseded

*In each case the retention period stipulated relates only to the personal data contained within the record after which time such data may be anonymised, pseudonymised or deleted and is a maximum period and without prejudice to our earlier deletion of the data.

Get in Touch

Talk with one of our experts for more information or a demo.

Please enter your enquiry here:

* indicates mandatory field

Friend MTS Limited
177 Shaftesbury Avenue

UK: +44 203 588 2111
US: +1 267 382 4280